From 5b1459e623b0e0246a0bffade2945da8196bccf3 Mon Sep 17 00:00:00 2001 From: Archana Choudhary Date: Thu, 22 May 2025 14:03:54 +0000 Subject: [PATCH 01/10] genpolicy: test framework: enable config map usage This patch improves the test framework for the genpolicy tool by enabling the use of config maps. Signed-off-by: Archana Choudhary --- src/tools/genpolicy/tests/policy/main.rs | 30 ++++++++++++++++++++---- 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/src/tools/genpolicy/tests/policy/main.rs b/src/tools/genpolicy/tests/policy/main.rs index 0f61c9f30..e6c730c9c 100644 --- a/src/tools/genpolicy/tests/policy/main.rs +++ b/src/tools/genpolicy/tests/policy/main.rs @@ -63,14 +63,36 @@ mod tests { /// a JSON list of [TestCase] instances. Each instance will be of type enum TestRequest, /// with the tag `type` listing the exact type of request. async fn runtests(test_case_dir: &str) { - // Prepare temp dir for running genpolicy. - let (workdir, testdata_dir) = prepare_workdir(test_case_dir, &["pod.yaml"]); + // Check if config_map.yaml exists. + // If it does, we need to copy it to the workdir. + let is_config_map_file_present = path::PathBuf::from(env!("CARGO_MANIFEST_DIR")) + .join("tests/policy/testdata") + .join(test_case_dir) + .join("config_map.yaml") + .exists(); - // Run the command and return the generated policy. + let files_to_copy = if is_config_map_file_present { + vec!["pod.yaml", "config_map.yaml"] + } else { + vec!["pod.yaml"] + }; + + // Prepare temp dir for running genpolicy. + let (workdir, testdata_dir) = prepare_workdir(test_case_dir, &files_to_copy); + + let config_files = if is_config_map_file_present { + Some(vec![workdir + .join("config_map.yaml") + .to_str() + .unwrap() + .to_string()]) + } else { + None + }; let config = genpolicy::utils::Config { base64_out: false, - config_files: None, + config_files, containerd_socket_path: None, // Some(String::from("/var/run/containerd/containerd.sock")), insecure_registries: Vec::new(), layers_cache: genpolicy::layers_cache::ImageLayersCache::new(&None), From 9ebbc08d702a84c095594d6c462923041747dca7 Mon Sep 17 00:00:00 2001 From: Archana Choudhary Date: Thu, 22 May 2025 14:37:26 +0000 Subject: [PATCH 02/10] genpolicy: enable storage checks This patch - adds condition to add container image layers as storages - enable storage checks - fix CI policy test cases - update genpolicy-settings.json to enable storage checks - remove storage object addition in container image parsing Signed-off-by: Archana Choudhary --- src/tools/genpolicy/genpolicy-settings.json | 5 +- src/tools/genpolicy/rules.rego | 67 +++++++++++++++----- src/tools/genpolicy/src/mount_and_storage.rs | 12 ---- src/tools/genpolicy/src/policy.rs | 8 ++- src/tools/genpolicy/src/yaml.rs | 7 +- 5 files changed, 63 insertions(+), 36 deletions(-) diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json index 77ec29994..cc8c9f006 100644 --- a/src/tools/genpolicy/genpolicy-settings.json +++ b/src/tools/genpolicy/genpolicy-settings.json @@ -155,7 +155,7 @@ "emptyDir": { "mount_type": "local", "mount_source": "^$(cpath)/$(sandbox-id)/rootfs/local/", - "mount_point": "^$(cpath)/$(sandbox-id)/local/", + "mount_point": "^$(cpath)/$(sandbox-id)/rootfs/local/", "driver": "local", "source": "local", "fstype": "local", @@ -315,7 +315,8 @@ "CAP_PERFMON", "CAP_BPF", "CAP_CHECKPOINT_RESTORE" - ] + ], + "image_layer_verification" : "none" }, "kata_config": { "confidential_guest": false, diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego index 5db3cc629..1b09e89e6 100644 --- a/src/tools/genpolicy/rules.rego +++ b/src/tools/genpolicy/rules.rego @@ -671,8 +671,7 @@ allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) if { count(p_matches) == count(input.OCI.Mounts) - # TODO: enable allow_storages() after fixing https://github.com/kata-containers/kata-containers/issues/8833 - # allow_storages(p_storages, i_storages, bundle_id, sandbox_id) + allow_storages(p_storages, i_storages, bundle_id, sandbox_id) print("allow_by_bundle_or_sandbox_id: true") } @@ -1038,17 +1037,9 @@ allow_storages(p_storages, i_storages, bundle_id, sandbox_id) if { p_count == i_count - # Get the container image layer IDs and verity root hashes, from the "overlayfs" storage. - some overlay_storage in p_storages - overlay_storage.driver == "overlayfs" - print("allow_storages: overlay_storage =", overlay_storage) - count(overlay_storage.options) == 2 - - layer_ids := split(overlay_storage.options[0], ":") - print("allow_storages: layer_ids =", layer_ids) - - root_hashes := split(overlay_storage.options[1], ":") - print("allow_storages: root_hashes =", root_hashes) + image_info := allow_container_image_storage(p_storages) + layer_ids := image_info.layer_ids + root_hashes := image_info.root_hashes every i_storage in i_storages { allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hashes) @@ -1057,6 +1048,23 @@ allow_storages(p_storages, i_storages, bundle_id, sandbox_id) if { print("allow_storages: true") } +# Currently, Image Layer Integrity Verification through Policy is only required for Guest VMs +# that use container image layers provided as dm-verity-protected block device images created on the Host. +allow_container_image_storage(p_storages) = { "layer_ids": [], "root_hashes": [] } { + policy_data.common.image_layer_verification != "host-tarfs-dm-verity" +} + +allow_container_image_storage(p_storages) = { "layer_ids": layer_ids, "root_hashes": root_hashes } { + policy_data.common.image_layer_verification == "host-tarfs-dm-verity" + + some overlay_storage in p_storages + overlay_storage.driver == "overlayfs" + count(overlay_storage.options) == 2 + + layer_ids := split(overlay_storage.options[0], ":") + root_hashes := split(overlay_storage.options[1], ":") +} + allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hashes) if { some p_storage in p_storages @@ -1066,15 +1074,44 @@ allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hash p_storage.driver == i_storage.driver p_storage.driver_options == i_storage.driver_options p_storage.fs_group == i_storage.fs_group + p_storage.fstype == i_storage.fstype + allow_storage_source(p_storage, i_storage, bundle_id) allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) - # TODO: validate the source field too. - print("allow_storage: true") } +allow_storage_source(p_storage, i_storage, bundle_id) { + print("allow_storage_source 1: start") + + p_storage.source == i_storage.source + + print("allow_storage_source 1: true") +} +allow_storage_source(p_storage, i_storage, bundle_id) { + print("allow_storage_source 2: start") + + source1 := p_storage.source + source2 := replace(source1, "$(sfprefix)", policy_data.common.sfprefix) + source3 := replace(source2, "$(cpath)", policy_data.common.cpath) + source4 := replace(source3, "$(bundle-id)", bundle_id) + + print("allow_storage_source 2: source =", source4) + regex.match(source4, i_storage.source) + + print("allow_storage_source 2: true") +} +allow_storage_source(p_storage, i_storage, bundle_id) { + print("allow_storage_source 3: start") + + p_storage.driver == "overlayfs" + i_storage.source == "none" + + print("allow_storage_source 3: true") +} + allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) if { print("allow_storage_options 1: start") diff --git a/src/tools/genpolicy/src/mount_and_storage.rs b/src/tools/genpolicy/src/mount_and_storage.rs index 394c06658..f12714ec4 100644 --- a/src/tools/genpolicy/src/mount_and_storage.rs +++ b/src/tools/genpolicy/src/mount_and_storage.rs @@ -375,7 +375,6 @@ fn get_downward_api_mount(yaml_mount: &pod::VolumeMount, p_mounts: &mut Vec, - storages: &mut Vec, destination: &str, ) { // https://github.com/kubernetes/examples/blob/master/cassandra/image/Dockerfile @@ -404,17 +403,6 @@ pub fn get_image_mount_and_storage( settings_image ); - storages.push(agent::Storage { - driver: settings_image.driver.clone(), - driver_options: Vec::new(), - source: settings_image.source.clone(), - fstype: settings_image.fstype.clone(), - options: settings_image.options.clone(), - mount_point: destination_string.clone(), - fs_group: protobuf::MessageField::none(), - special_fields: ::protobuf::SpecialFields::new(), - }); - let file_name = Path::new(&destination_string).file_name().unwrap(); let name = OsString::from(file_name).into_string().unwrap(); let source = format!("{}{name}$", &settings_image.mount_source); diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs index ae6fdea82..d28f23df2 100644 --- a/src/tools/genpolicy/src/policy.rs +++ b/src/tools/genpolicy/src/policy.rs @@ -418,6 +418,9 @@ pub struct CommonData { /// Default capabilities for a privileged container. pub privileged_caps: Vec, + + /// Parse Container image as a storage object + pub image_layer_verification: String, } /// Configuration from "kubectl config". @@ -615,7 +618,10 @@ impl AgentPolicy { let image_layers = yaml_container.registry.get_image_layers(); let mut storages = Default::default(); - get_image_layer_storages(&mut storages, &image_layers, &root); + const HOST_TARFS_DM_VERITY: &str = "host-tarfs-dm-verity"; + if self.config.settings.common.image_layer_verification == HOST_TARFS_DM_VERITY { + get_image_layer_storages(&mut storages, &image_layers, &root); + } resource.get_container_mounts_and_storages( &mut mounts, &mut storages, diff --git a/src/tools/genpolicy/src/yaml.rs b/src/tools/genpolicy/src/yaml.rs index edc2ff9ad..131d2ce0b 100644 --- a/src/tools/genpolicy/src/yaml.rs +++ b/src/tools/genpolicy/src/yaml.rs @@ -313,12 +313,7 @@ pub fn get_container_mounts_and_storages( for volume in volumes { debug!("get_container_mounts_and_storages: {:?}", &volume); - mount_and_storage::get_image_mount_and_storage( - settings, - policy_mounts, - storages, - volume.0, - ); + mount_and_storage::get_image_mount_and_storage(settings, policy_mounts, volume.0); } } } From 68c8c3171825119882d5c8f803fde884a3ae63ad Mon Sep 17 00:00:00 2001 From: Archana Choudhary Date: Thu, 22 May 2025 14:39:18 +0000 Subject: [PATCH 03/10] genpolicy: tests: add test for config_map volumes This patch adds test for config_map volumes. Signed-off-by: Archana Choudhary --- src/tools/genpolicy/tests/policy/main.rs | 5 + .../volumes/config_map/config_map.yaml | 7 + .../volumes/config_map/pod.yaml | 21 +++ .../volumes/config_map/testcases.json | 151 ++++++++++++++++++ 4 files changed, 184 insertions(+) create mode 100644 src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/config_map/config_map.yaml create mode 100644 src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/config_map/pod.yaml create mode 100644 src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/config_map/testcases.json diff --git a/src/tools/genpolicy/tests/policy/main.rs b/src/tools/genpolicy/tests/policy/main.rs index e6c730c9c..c657f1c6e 100644 --- a/src/tools/genpolicy/tests/policy/main.rs +++ b/src/tools/genpolicy/tests/policy/main.rs @@ -284,4 +284,9 @@ mod tests { async fn test_create_container_mounts() { runtests("createcontainer/volumes/emptydir").await; } + + #[tokio::test] + async fn test_create_container_volumes_config_map() { + runtests("createcontainer/volumes/config_map").await; + } } diff --git a/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/config_map/config_map.yaml b/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/config_map/config_map.yaml new file mode 100644 index 000000000..426cb22e8 --- /dev/null +++ b/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/config_map/config_map.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-map1 +data: + simple_value1: value1 diff --git a/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/config_map/pod.yaml b/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/config_map/pod.yaml new file mode 100644 index 000000000..bd49e5243 --- /dev/null +++ b/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/config_map/pod.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: v1 +kind: Pod +metadata: + name: dummy +spec: + runtimeClassName: kata-cc-isolation + containers: + - name: dummy + image: "registry.k8s.io/pause:3.6@sha256:3d380ca8864549e74af4b29c10f9cb0956236dfb01c40ca076fb6c37253234db" + volumeMounts: + - name: config + mountPath: /config + readOnly: true + volumes: + - name: config + configMap: + name: config-map1 + items: + - key: simple_value1 + path: simple_value1 diff --git a/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/config_map/testcases.json b/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/config_map/testcases.json new file mode 100644 index 000000000..88cdfd283 --- /dev/null +++ b/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/config_map/testcases.json @@ -0,0 +1,151 @@ +[ + { + "description": "CreateContainer with config map volume", + "allowed": true, + "request": { + "type": "CreateContainer", + "OCI": { + "Version": "1.1.0", + "Annotations": { + "io.kubernetes.cri.sandbox-name": "dummy", + "io.kubernetes.cri.sandbox-namespace": "default", + "io.kubernetes.cri.container-type": "container", + "io.katacontainers.pkg.oci.container_type": "pod_container", + "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/bundle-id", + "io.kubernetes.cri.sandbox-id": "0000000000000000000000000000000000000000000000000000000000000000", + "io.kubernetes.cri.container-name": "dummy" + }, + "Linux": { + "GIDMappings": [], + "MountLabel": "", + "Resources": { + "Devices": [] + }, + "RootfsPropagation": "", + "Namespaces": [ + { + "Path": "", + "Type": "ipc" + }, + { + "Path": "", + "Type": "uts" + }, + { + "Path": "", + "Type": "mount" + }, + { + "Path": "/run/netns/podns", + "Type": "network" + } + ], + "MaskedPaths": [ + "/proc/acpi", + "/proc/asound", + "/proc/kcore", + "/proc/keys", + "/proc/latency_stats", + "/proc/timer_list", + "/proc/timer_stats", + "/proc/sched_debug", + "/sys/firmware", + "/proc/scsi" + ], + "ReadonlyPaths": [ + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger" + ] + }, + "Process": { + "SelinuxLabel": "", + "User": { + "Username": "", + "UID": 65535, + "AdditionalGids": [ + 0 + ] + }, + "Args": [ + "/pause" + ], + "Cwd": "/", + "NoNewPrivileges": false, + "Capabilities": { + "Ambient": [], + "Bounding": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FSETID", + "CAP_FOWNER", + "CAP_MKNOD", + "CAP_NET_RAW", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETFCAP", + "CAP_SETPCAP", + "CAP_NET_BIND_SERVICE", + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE" + ], + "Effective": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FSETID", + "CAP_FOWNER", + "CAP_MKNOD", + "CAP_NET_RAW", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETFCAP", + "CAP_SETPCAP", + "CAP_NET_BIND_SERVICE", + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE" + ], + "Permitted": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FSETID", + "CAP_FOWNER", + "CAP_MKNOD", + "CAP_NET_RAW", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETFCAP", + "CAP_SETPCAP", + "CAP_NET_BIND_SERVICE", + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE" + ] + } + }, + "Root": { + "Readonly": false, + "Path": "/run/kata-containers/shared/containers/bundle-id/rootfs" + } + }, + "storages": [ + { + "driver": "watchable-bind", + "driver_options": [], + "source": "/run/kata-containers/shared/containers/bundle-id-a1b2c3d4e5f6g7h8-config", + "fstype": "bind", + "options": [ + "rbind", + "rprivate", + "ro" + ], + "mount_point": "/run/kata-containers/shared/containers/watchable/bundle-id-a1b2c3d4e5f6g7h8-config", + "fs_group": null + } + ] + } + } +] From d7f998fbd55f939ef75318f51f0379a39792e2af Mon Sep 17 00:00:00 2001 From: Archana Choudhary Date: Thu, 22 May 2025 15:20:55 +0000 Subject: [PATCH 04/10] genpolicy: tests: update test for emptydir volumes This patch - updates testcases.json for emptydir volumes/storages Signed-off-by: Archana Choudhary --- src/tools/genpolicy/tests/policy/main.rs | 2 +- .../volumes/emptydir/testcases.json | 338 +++++++++++++++++- 2 files changed, 331 insertions(+), 9 deletions(-) diff --git a/src/tools/genpolicy/tests/policy/main.rs b/src/tools/genpolicy/tests/policy/main.rs index c657f1c6e..f875fcefc 100644 --- a/src/tools/genpolicy/tests/policy/main.rs +++ b/src/tools/genpolicy/tests/policy/main.rs @@ -281,7 +281,7 @@ mod tests { } #[tokio::test] - async fn test_create_container_mounts() { + async fn test_create_container_volumes_empty_dir() { runtests("createcontainer/volumes/emptydir").await; } diff --git a/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/emptydir/testcases.json b/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/emptydir/testcases.json index debe74446..8460c9d54 100644 --- a/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/emptydir/testcases.json +++ b/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/emptydir/testcases.json @@ -163,7 +163,53 @@ ] } ] - } + }, + "storages": [ + { + "driver": "local", + "driver_options": [], + "fs_group": null, + "fstype": "local", + "mount_point": "/run/kata-containers/shared/containers/0000000000000000000000000000000000000000000000000000000000000000/rootfs/local/test-volume", + "options": [ + "mode=0777" + ], + "source": "local" + }, + { + "driver": "local", + "driver_options": [], + "fs_group": null, + "fstype": "local", + "mount_point": "/run/kata-containers/shared/containers/0000000000000000000000000000000000000000000000000000000000000000/rootfs/local/test-volume", + "options": [ + "mode=0777" + ], + "source": "local" + }, + { + "driver": "local", + "driver_options": [], + "fs_group": null, + "fstype": "local", + "mount_point": "/run/kata-containers/shared/containers/0000000000000000000000000000000000000000000000000000000000000000/rootfs/local/test-volume", + "options": [ + "mode=0777" + ], + "source": "local" + }, + { + "driver": "local", + "driver_options": [], + "fs_group": null, + "fstype": "local", + "mount_point": "/run/kata-containers/shared/containers/0000000000000000000000000000000000000000000000000000000000000000/rootfs/local/test-volume2", + "options": [ + "mode=0777" + ], + "source": "local" + } + ] } }, { @@ -310,7 +356,53 @@ ] } ] - } + }, + "storages": [ + { + "driver": "local", + "driver_options": [], + "fs_group": null, + "fstype": "local", + "mount_point": "/run/kata-containers/shared/containers/0000000000000000000000000000000000000000000000000000000000000000/rootfs/local/test-volume", + "options": [ + "mode=0777" + ], + "source": "local" + }, + { + "driver": "local", + "driver_options": [], + "fs_group": null, + "fstype": "local", + "mount_point": "/run/kata-containers/shared/containers/0000000000000000000000000000000000000000000000000000000000000000/rootfs/local/test-volume", + "options": [ + "mode=0777" + ], + "source": "local" + }, + { + "driver": "local", + "driver_options": [], + "fs_group": null, + "fstype": "local", + "mount_point": "/run/kata-containers/shared/containers/0000000000000000000000000000000000000000000000000000000000000000/rootfs/local/test-volume", + "options": [ + "mode=0777" + ], + "source": "local" + }, + { + "driver": "local", + "driver_options": [], + "fs_group": null, + "fstype": "local", + "mount_point": "/run/kata-containers/shared/containers/0000000000000000000000000000000000000000000000000000000000000000/rootfs/local/test-volume2", + "options": [ + "mode=0777" + ], + "source": "local" + } + ] } }, { @@ -467,7 +559,53 @@ ] } ] - } + }, + "storages": [ + { + "driver": "local", + "driver_options": [], + "fs_group": null, + "fstype": "local", + "mount_point": "/run/kata-containers/shared/containers/0000000000000000000000000000000000000000000000000000000000000000/rootfs/local/test-volume", + "options": [ + "mode=0777" + ], + "source": "local" + }, + { + "driver": "local", + "driver_options": [], + "fs_group": null, + "fstype": "local", + "mount_point": "/run/kata-containers/shared/containers/0000000000000000000000000000000000000000000000000000000000000000/rootfs/local/test-volume", + "options": [ + "mode=0777" + ], + "source": "local" + }, + { + "driver": "local", + "driver_options": [], + "fs_group": null, + "fstype": "local", + "mount_point": "/run/kata-containers/shared/containers/0000000000000000000000000000000000000000000000000000000000000000/rootfs/local/test-volume", + "options": [ + "mode=0777" + ], + "source": "local" + }, + { + "driver": "local", + "driver_options": [], + "fs_group": null, + "fstype": "local", + "mount_point": "/run/kata-containers/shared/containers/0000000000000000000000000000000000000000000000000000000000000000/rootfs/local/test-volume2", + "options": [ + "mode=0777" + ], + "source": "local" + } + ] } }, { @@ -608,7 +746,53 @@ "source": "/run/kata-containers/shared/containers/0000000000000000000000000000000000000000000000000000000000000000/rootfs/local/test-volume" } ] - } + }, + "storages": [ + { + "driver": "local", + "driver_options": [], + "fs_group": null, + "fstype": "local", + "mount_point": "/run/kata-containers/shared/containers/0000000000000000000000000000000000000000000000000000000000000000/rootfs/local/test-volume", + "options": [ + "mode=0777" + ], + "source": "local" + }, + { + "driver": "local", + "driver_options": [], + "fs_group": null, + "fstype": "local", + "mount_point": "/run/kata-containers/shared/containers/0000000000000000000000000000000000000000000000000000000000000000/rootfs/local/test-volume", + "options": [ + "mode=0777" + ], + "source": "local" + }, + { + "driver": "local", + "driver_options": [], + "fs_group": null, + "fstype": "local", + "mount_point": "/run/kata-containers/shared/containers/0000000000000000000000000000000000000000000000000000000000000000/rootfs/local/test-volume", + "options": [ + "mode=0777" + ], + "source": "local" + }, + { + "driver": "local", + "driver_options": [], + "fs_group": null, + "fstype": "local", + "mount_point": "/run/kata-containers/shared/containers/0000000000000000000000000000000000000000000000000000000000000000/rootfs/local/test-volume2", + "options": [ + "mode=0777" + ], + "source": "local" + } + ] } }, { @@ -1109,7 +1293,53 @@ ] } ] - } + }, + "storages": [ + { + "driver": "local", + "driver_options": [], + "fs_group": null, + "fstype": "local", + "mount_point": "/run/kata-containers/shared/containers/0000000000000000000000000000000000000000000000000000000000000000/rootfs/local/test-volume", + "options": [ + "mode=0777" + ], + "source": "local" + }, + { + "driver": "local", + "driver_options": [], + "fs_group": null, + "fstype": "local", + "mount_point": "/run/kata-containers/shared/containers/0000000000000000000000000000000000000000000000000000000000000000/rootfs/local/test-volume", + "options": [ + "mode=0777" + ], + "source": "local" + }, + { + "driver": "local", + "driver_options": [], + "fs_group": null, + "fstype": "local", + "mount_point": "/run/kata-containers/shared/containers/0000000000000000000000000000000000000000000000000000000000000000/rootfs/local/test-volume", + "options": [ + "mode=0777" + ], + "source": "local" + }, + { + "driver": "local", + "driver_options": [], + "fs_group": null, + "fstype": "local", + "mount_point": "/run/kata-containers/shared/containers/0000000000000000000000000000000000000000000000000000000000000000/rootfs/local/test-volume2", + "options": [ + "mode=0777" + ], + "source": "local" + } + ] } }, { @@ -1256,7 +1486,53 @@ ] } ] - } + }, + "storages": [ + { + "driver": "local", + "driver_options": [], + "fs_group": null, + "fstype": "local", + "mount_point": "/run/kata-containers/shared/containers/0000000000000000000000000000000000000000000000000000000000000000/rootfs/local/test-volume", + "options": [ + "mode=0777" + ], + "source": "local" + }, + { + "driver": "local", + "driver_options": [], + "fs_group": null, + "fstype": "local", + "mount_point": "/run/kata-containers/shared/containers/0000000000000000000000000000000000000000000000000000000000000000/rootfs/local/test-volume", + "options": [ + "mode=0777" + ], + "source": "local" + }, + { + "driver": "local", + "driver_options": [], + "fs_group": null, + "fstype": "local", + "mount_point": "/run/kata-containers/shared/containers/0000000000000000000000000000000000000000000000000000000000000000/rootfs/local/test-volume", + "options": [ + "mode=0777" + ], + "source": "local" + }, + { + "driver": "local", + "driver_options": [], + "fs_group": null, + "fstype": "local", + "mount_point": "/run/kata-containers/shared/containers/0000000000000000000000000000000000000000000000000000000000000000/rootfs/local/test-volume2", + "options": [ + "mode=0777" + ], + "source": "local" + } + ] } }, { @@ -1403,7 +1679,53 @@ ] } ] - } + }, + "storages": [ + { + "driver": "local", + "driver_options": [], + "fs_group": null, + "fstype": "local", + "mount_point": "/run/kata-containers/shared/containers/0000000000000000000000000000000000000000000000000000000000000000/rootfs/local/test-volume", + "options": [ + "mode=0777" + ], + "source": "local" + }, + { + "driver": "local", + "driver_options": [], + "fs_group": null, + "fstype": "local", + "mount_point": "/run/kata-containers/shared/containers/0000000000000000000000000000000000000000000000000000000000000000/rootfs/local/test-volume", + "options": [ + "mode=0777" + ], + "source": "local" + }, + { + "driver": "local", + "driver_options": [], + "fs_group": null, + "fstype": "local", + "mount_point": "/run/kata-containers/shared/containers/0000000000000000000000000000000000000000000000000000000000000000/rootfs/local/test-volume", + "options": [ + "mode=0777" + ], + "source": "local" + }, + { + "driver": "local", + "driver_options": [], + "fs_group": null, + "fstype": "local", + "mount_point": "/run/kata-containers/shared/containers/0000000000000000000000000000000000000000000000000000000000000000/rootfs/local/test-volume2", + "options": [ + "mode=0777" + ], + "source": "local" + } + ] } } -] \ No newline at end of file +] From bd2dc1422e0cf634a7cd4174331306c42357accb Mon Sep 17 00:00:00 2001 From: Archana Choudhary Date: Thu, 22 May 2025 16:35:50 +0000 Subject: [PATCH 05/10] genpolicy: add test for container images having volumes This patch adds a test case to genpolicy for container images that have volumes. Examples of such container images include: - quay.io/opstree/redis - https://github.com/kubernetes/examples/blob/master/cassandra/image/Dockerfile Signed-off-by: Archana Choudhary --- src/tools/genpolicy/.gitignore | 3 +- src/tools/genpolicy/tests/policy/main.rs | 5 + .../volumes/container_image/pod.yaml | 10 ++ .../volumes/container_image/testcases.json | 127 ++++++++++++++++++ 4 files changed, 144 insertions(+), 1 deletion(-) create mode 100644 src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/container_image/pod.yaml create mode 100644 src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/container_image/testcases.json diff --git a/src/tools/genpolicy/.gitignore b/src/tools/genpolicy/.gitignore index 4306af926..7e41ebe98 100644 --- a/src/tools/genpolicy/.gitignore +++ b/src/tools/genpolicy/.gitignore @@ -1 +1,2 @@ -src/version.rs \ No newline at end of file +src/version.rs +tests/**/layers-cache.json diff --git a/src/tools/genpolicy/tests/policy/main.rs b/src/tools/genpolicy/tests/policy/main.rs index f875fcefc..4f5fe0c83 100644 --- a/src/tools/genpolicy/tests/policy/main.rs +++ b/src/tools/genpolicy/tests/policy/main.rs @@ -289,4 +289,9 @@ mod tests { async fn test_create_container_volumes_config_map() { runtests("createcontainer/volumes/config_map").await; } + + #[tokio::test] + async fn test_create_container_volumes_container_image() { + runtests("createcontainer/volumes/container_image").await; + } } diff --git a/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/container_image/pod.yaml b/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/container_image/pod.yaml new file mode 100644 index 000000000..91bd9be56 --- /dev/null +++ b/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/container_image/pod.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: Pod +metadata: + name: redis +spec: + runtimeClassName: kata-cc-isolation + containers: + - name: redis + image: quay.io/opstree/redis diff --git a/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/container_image/testcases.json b/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/container_image/testcases.json new file mode 100644 index 000000000..44705c1f8 --- /dev/null +++ b/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/container_image/testcases.json @@ -0,0 +1,127 @@ +[ + { + "description": "CreateContainer with a container image having volumes", + "allowed": true, + "request": { + "type": "CreateContainer", + "OCI": { + "Version": "1.1.0", + "Annotations": { + "io.kubernetes.cri.sandbox-name": "redis", + "io.kubernetes.cri.sandbox-namespace": "default", + "io.kubernetes.cri.container-type": "container", + "io.katacontainers.pkg.oci.container_type": "pod_container", + "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/bundle-id", + "io.kubernetes.cri.sandbox-id": "0000000000000000000000000000000000000000000000000000000000000000", + "io.kubernetes.cri.container-name": "redis" + }, + "Linux": { + "GIDMappings": [], + "MountLabel": "", + "Resources": { + "Devices": [] + }, + "RootfsPropagation": "", + "Namespaces": [ + { + "Path": "", + "Type": "ipc" + }, + { + "Path": "", + "Type": "uts" + }, + { + "Path": "", + "Type": "mount" + }, + { + "Path": "/run/netns/podns", + "Type": "network" + } + ], + "MaskedPaths": [ + "/proc/acpi", + "/proc/asound", + "/proc/kcore", + "/proc/keys", + "/proc/latency_stats", + "/proc/timer_list", + "/proc/timer_stats", + "/proc/sched_debug", + "/sys/firmware", + "/proc/scsi" + ], + "ReadonlyPaths": [ + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger" + ] + }, + "Process": { + "Args": [ + "/usr/bin/entrypoint.sh" + ], + "Capabilities": { + "Ambient": [], + "Bounding": [ + "$(default_caps)" + ], + "Effective": [ + "$(default_caps)" + ], + "Inheritable": [], + "Permitted": [ + "$(default_caps)" + ] + }, + "Cwd": "/data", + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "REDIS_PORT=6379", + "HOSTNAME=$(host-name)" + ], + "NoNewPrivileges": false, + "Terminal": false, + "User": { + "AdditionalGids": [ + 1000 + ], + "GID": 1000, + "UID": 1000, + "Username": "" + } + }, + "Root": { + "Readonly": false, + "Path": "/run/kata-containers/shared/containers/bundle-id/rootfs" + }, + "Mounts": [ + { + "destination": "/data", + "source": "/run/kata-containers/shared/containers/bundle-id-a1b2c3d4e5f6g7h8-data", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + }, + { + "destination": "/node-conf", + "source": "/run/kata-containers/shared/containers/bundle-id-a1b2c3d4e5f6g7h8-node-conf", + "type_": "bind", + "options": [ + "rbind", + "rprivate", + "rw" + ] + } + ] + }, + "storages": [] + } + } +] From 6adec0737cc6fefe2c528f120f95914d45122839 Mon Sep 17 00:00:00 2001 From: Archana Choudhary Date: Thu, 29 May 2025 06:53:32 +0000 Subject: [PATCH 06/10] genpolicy: add rules for image_guest_pull storage This patch introduces some basic checks for the `image_guest_pull` storage type in the genpolicy tool. Signed-off-by: Archana Choudhary --- src/tools/genpolicy/rules.rego | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego index 1b09e89e6..26ded027d 100644 --- a/src/tools/genpolicy/rules.rego +++ b/src/tools/genpolicy/rules.rego @@ -1033,9 +1033,10 @@ mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) if { allow_storages(p_storages, i_storages, bundle_id, sandbox_id) if { p_count := count(p_storages) i_count := count(i_storages) - print("allow_storages: p_count =", p_count, "i_count =", i_count) + img_pull_count := count([s | s := i_storages[_]; s.driver == "image_guest_pull"]) + print("allow_storages: p_count =", p_count, "i_count =", i_count, "img_pull_count =", img_pull_count) - p_count == i_count + p_count == i_count - img_pull_count image_info := allow_container_image_storage(p_storages) layer_ids := image_info.layer_ids @@ -1053,7 +1054,6 @@ allow_storages(p_storages, i_storages, bundle_id, sandbox_id) if { allow_container_image_storage(p_storages) = { "layer_ids": [], "root_hashes": [] } { policy_data.common.image_layer_verification != "host-tarfs-dm-verity" } - allow_container_image_storage(p_storages) = { "layer_ids": layer_ids, "root_hashes": root_hashes } { policy_data.common.image_layer_verification == "host-tarfs-dm-verity" @@ -1082,6 +1082,15 @@ allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hash print("allow_storage: true") } +allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hashes) { + i_storage.driver == "image_guest_pull" + print("allow_storage with image_guest_pull: start") + i_storage.fstype == "overlay" + i_storage.fs_group == null + count(i_storage.options) == 0 + # TODO: Check Mount Point, Source, Driver Options, etc. + print("allow_storage with image_guest_pull: true") +} allow_storage_source(p_storage, i_storage, bundle_id) { print("allow_storage_source 1: start") From 1cbea890f1e9b5fe87869f0070919a02fe70949e Mon Sep 17 00:00:00 2001 From: Archana Choudhary Date: Thu, 29 May 2025 06:54:56 +0000 Subject: [PATCH 07/10] genpolicy: tests: update testcases for execprocess This patch removes storages from the testcases.json file for execprocess. This is because input storage objects are invalid for two reasons: 1. "io.katacontainers.fs-opt.layer=" is missing option in annotations. 2. by default, we don't have host-tarfs-dm-verity enabled, so the storage objects are not created in policy. Signed-off-by: Archana Choudhary --- --- .../testdata/state/execprocess/testcases.json | 94 +------------------ 1 file changed, 3 insertions(+), 91 deletions(-) diff --git a/src/tools/genpolicy/tests/policy/testdata/state/execprocess/testcases.json b/src/tools/genpolicy/tests/policy/testdata/state/execprocess/testcases.json index a75d77d84..1d15ebbe9 100644 --- a/src/tools/genpolicy/tests/policy/testdata/state/execprocess/testcases.json +++ b/src/tools/genpolicy/tests/policy/testdata/state/execprocess/testcases.json @@ -299,51 +299,7 @@ "devices": [], "sandbox_pidns": false, "shared_mounts": [], - "storages": [ - { - "driver": "blk", - "driver_options": [], - "source": "0001:00:02.0", - "fstype": "tar", - "options": [ - "ro", - "io.katacontainers.fs-opt.block_device=file", - "io.katacontainers.fs-opt.is-layer", - "io.katacontainers.fs-opt.root-hash=75ed5e78d30374b9557d32c17ae6d2e1b4afdc5efd128812e6c99a0f60708dba" - ], - "mount_point": "/run/kata-containers/sandbox/layers/b1ef3d18661ad727a8ad01d462fffc63ec90420a938056bc0422822328f83ff7", - "fs_group": null - }, - { - "driver": "blk", - "driver_options": [], - "source": "0001:00:03.0", - "fstype": "tar", - "options": [ - "ro", - "io.katacontainers.fs-opt.block_device=file", - "io.katacontainers.fs-opt.is-layer", - "io.katacontainers.fs-opt.root-hash=2e52d86498030b4b99318650826d3f121bdfac5fe7bbbea9d18c546d48003aa0" - ], - "mount_point": "/run/kata-containers/sandbox/layers/a8650d4a279d4537d7fc43c582a264528a96f041b1327d41b503f368c301594f", - "fs_group": null - }, - { - "driver": "overlayfs", - "driver_options": [], - "source": "none", - "fstype": "fuse3.kata-overlay", - "options": [ - "io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers", - "io.katacontainers.fs-opt.layer=YjFlZjNkMTg2NjFhZDcyN2E4YWQwMWQ0NjJmZmZjNjNlYzkwNDIwYTkzODA1NmJjMDQyMjgyMjMyOGY4M2ZmNyx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTc1ZWQ1ZTc4ZDMwMzc0Yjk1NTdkMzJjMTdhZTZkMmUxYjRhZmRjNWVmZDEyODgxMmU2Yzk5YTBmNjA3MDhkYmE=", - "io.katacontainers.fs-opt.layer=YTg2NTBkNGEyNzlkNDUzN2Q3ZmM0M2M1ODJhMjY0NTI4YTk2ZjA0MWIxMzI3ZDQxYjUwM2YzNjhjMzAxNTk0Zix0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTJlNTJkODY0OTgwMzBiNGI5OTMxODY1MDgyNmQzZjEyMWJkZmFjNWZlN2JiYmVhOWQxOGM1NDZkNDgwMDNhYTA=", - "io.katacontainers.fs-opt.overlay-rw", - "lowerdir=b1ef3d18661ad727a8ad01d462fffc63ec90420a938056bc0422822328f83ff7:a8650d4a279d4537d7fc43c582a264528a96f041b1327d41b503f368c301594f" - ], - "mount_point": "/run/kata-containers/shared/containers/88941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9", - "fs_group": null - } - ], + "storages": [], "string_user": null } }, @@ -647,51 +603,7 @@ "devices": [], "sandbox_pidns": false, "shared_mounts": [], - "storages": [ - { - "driver": "blk", - "driver_options": [], - "source": "0001:00:02.0", - "fstype": "tar", - "options": [ - "ro", - "io.katacontainers.fs-opt.block_device=file", - "io.katacontainers.fs-opt.is-layer", - "io.katacontainers.fs-opt.root-hash=75ed5e78d30374b9557d32c17ae6d2e1b4afdc5efd128812e6c99a0f60708dba" - ], - "mount_point": "/run/kata-containers/sandbox/layers/b1ef3d18661ad727a8ad01d462fffc63ec90420a938056bc0422822328f83ff7", - "fs_group": null - }, - { - "driver": "blk", - "driver_options": [], - "source": "0001:00:03.0", - "fstype": "tar", - "options": [ - "ro", - "io.katacontainers.fs-opt.block_device=file", - "io.katacontainers.fs-opt.is-layer", - "io.katacontainers.fs-opt.root-hash=2e52d86498030b4b99318650826d3f121bdfac5fe7bbbea9d18c546d48003aa0" - ], - "mount_point": "/run/kata-containers/sandbox/layers/a8650d4a279d4537d7fc43c582a264528a96f041b1327d41b503f368c301594f", - "fs_group": null - }, - { - "driver": "overlayfs", - "driver_options": [], - "source": "none", - "fstype": "fuse3.kata-overlay", - "options": [ - "io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers", - "io.katacontainers.fs-opt.layer=YjFlZjNkMTg2NjFhZDcyN2E4YWQwMWQ0NjJmZmZjNjNlYzkwNDIwYTkzODA1NmJjMDQyMjgyMjMyOGY4M2ZmNyx0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTc1ZWQ1ZTc4ZDMwMzc0Yjk1NTdkMzJjMTdhZTZkMmUxYjRhZmRjNWVmZDEyODgxMmU2Yzk5YTBmNjA3MDhkYmE=", - "io.katacontainers.fs-opt.layer=YTg2NTBkNGEyNzlkNDUzN2Q3ZmM0M2M1ODJhMjY0NTI4YTk2ZjA0MWIxMzI3ZDQxYjUwM2YzNjhjMzAxNTk0Zix0YXIscm8saW8ua2F0YWNvbnRhaW5lcnMuZnMtb3B0LmJsb2NrX2RldmljZT1maWxlLGlvLmthdGFjb250YWluZXJzLmZzLW9wdC5pcy1sYXllcixpby5rYXRhY29udGFpbmVycy5mcy1vcHQucm9vdC1oYXNoPTJlNTJkODY0OTgwMzBiNGI5OTMxODY1MDgyNmQzZjEyMWJkZmFjNWZlN2JiYmVhOWQxOGM1NDZkNDgwMDNhYTA=", - "io.katacontainers.fs-opt.overlay-rw", - "lowerdir=b1ef3d18661ad727a8ad01d462fffc63ec90420a938056bc0422822328f83ff7:a8650d4a279d4537d7fc43c582a264528a96f041b1327d41b503f368c301594f" - ], - "mount_point": "/run/kata-containers/shared/containers/22941c1e6546ae2aef276f738b162fc379e61467120544e13e5ca5bd204862b9", - "fs_group": null - } - ], + "storages": [], "string_user": null } }, @@ -1223,4 +1135,4 @@ } } } -] \ No newline at end of file +] From 9dd365fdb540385f653b97110d31755f5371462f Mon Sep 17 00:00:00 2001 From: Archana Choudhary Date: Mon, 16 Jun 2025 11:52:58 +0000 Subject: [PATCH 08/10] genpolicy: fix mount source check in rules.rego This commit fixes the mount source check in rules.rego. Signed-off-by: Archana Choudhary --- src/tools/genpolicy/rules.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego index 26ded027d..722fbb221 100644 --- a/src/tools/genpolicy/rules.rego +++ b/src/tools/genpolicy/rules.rego @@ -1252,7 +1252,7 @@ allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) if { mount1 := p_storage.mount_point print("allow_mount_point 3: mount1 =", mount1) - mount2 := replace(mount1, "$(cpath)", policy_data.common.cpath) + mount2 := replace(mount1, "$(cpath)", policy_data.common.mount_source_cpath) print("allow_mount_point 3: mount2 =", mount2) mount3 := replace(mount2, "$(sandbox-id)", sandbox_id) From abbe1be69fe83facfc2eb8d79dfdff2471f2fc7f Mon Sep 17 00:00:00 2001 From: Archana Choudhary Date: Thu, 19 Jun 2025 11:39:21 +0000 Subject: [PATCH 09/10] tests: enable confidential_guest setting for coco This commit updates the `tests_common.sh` script to enable the `confidential_guest` setting for the coco tests in the Kubernetes integration tests. Signed-off-by: Archana Choudhary --- src/tools/genpolicy/genpolicy-settings.json | 6 +++--- tests/integration/kubernetes/tests_common.sh | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json index cc8c9f006..1b9321d49 100644 --- a/src/tools/genpolicy/genpolicy-settings.json +++ b/src/tools/genpolicy/genpolicy-settings.json @@ -165,8 +165,8 @@ }, "confidential_emptyDir": { "mount_type": "local", - "mount_source": "^$(cpath)/$(sandbox-id)/local/", - "mount_point": "^$(cpath)/$(sandbox-id)/local/", + "mount_source": "^$(cpath)/$(sandbox-id)/rootfs/local/", + "mount_point": "^$(cpath)/$(sandbox-id)/rootfs/local/", "driver": "local", "source": "local", "fstype": "local", @@ -375,4 +375,4 @@ "UpdateEphemeralMountsRequest": false, "WriteStreamRequest": false } -} \ No newline at end of file +} diff --git a/tests/integration/kubernetes/tests_common.sh b/tests/integration/kubernetes/tests_common.sh index a1a4adda3..a4e828178 100644 --- a/tests/integration/kubernetes/tests_common.sh +++ b/tests/integration/kubernetes/tests_common.sh @@ -90,7 +90,7 @@ adapt_common_policy_settings_for_tdx() { local settings_dir=$1 info "Adapting common policy settings for TDX, SNP, or the non-TEE development environment" - jq '.common.cpath = "/run/kata-containers" | .volumes.configMap.mount_point = "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-"' "${settings_dir}/genpolicy-settings.json" > temp.json && sudo mv temp.json "${settings_dir}/genpolicy-settings.json" + jq '.kata_config.confidential_guest = true | .common.cpath = "/run/kata-containers" | .volumes.configMap.mount_point = "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-"' "${settings_dir}/genpolicy-settings.json" > temp.json && sudo mv temp.json "${settings_dir}/genpolicy-settings.json" } # adapt common policy settings for qemu-sev From 6932beb01f7577fdfb98d28f41d5a57cf1d7827a Mon Sep 17 00:00:00 2001 From: Archana Choudhary Date: Tue, 1 Jul 2025 12:43:41 +0000 Subject: [PATCH 10/10] policy: fix parse errors in rules.rego This patch fixes the rules.rego file to ensure that the policy is correctly parsed and applied by opa. Signed-off-by: Archana Choudhary --- src/tools/genpolicy/rules.rego | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego index 722fbb221..f073c8c4d 100644 --- a/src/tools/genpolicy/rules.rego +++ b/src/tools/genpolicy/rules.rego @@ -1051,10 +1051,10 @@ allow_storages(p_storages, i_storages, bundle_id, sandbox_id) if { # Currently, Image Layer Integrity Verification through Policy is only required for Guest VMs # that use container image layers provided as dm-verity-protected block device images created on the Host. -allow_container_image_storage(p_storages) = { "layer_ids": [], "root_hashes": [] } { +allow_container_image_storage(p_storages) = { "layer_ids": [], "root_hashes": [] } if { policy_data.common.image_layer_verification != "host-tarfs-dm-verity" } -allow_container_image_storage(p_storages) = { "layer_ids": layer_ids, "root_hashes": root_hashes } { +allow_container_image_storage(p_storages) = { "layer_ids": layer_ids, "root_hashes": root_hashes } if { policy_data.common.image_layer_verification == "host-tarfs-dm-verity" some overlay_storage in p_storages @@ -1082,7 +1082,7 @@ allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hash print("allow_storage: true") } -allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hashes) { +allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hashes) if { i_storage.driver == "image_guest_pull" print("allow_storage with image_guest_pull: start") i_storage.fstype == "overlay" @@ -1092,14 +1092,14 @@ allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hash print("allow_storage with image_guest_pull: true") } -allow_storage_source(p_storage, i_storage, bundle_id) { +allow_storage_source(p_storage, i_storage, bundle_id) if { print("allow_storage_source 1: start") p_storage.source == i_storage.source print("allow_storage_source 1: true") } -allow_storage_source(p_storage, i_storage, bundle_id) { +allow_storage_source(p_storage, i_storage, bundle_id) if { print("allow_storage_source 2: start") source1 := p_storage.source @@ -1112,7 +1112,7 @@ allow_storage_source(p_storage, i_storage, bundle_id) { print("allow_storage_source 2: true") } -allow_storage_source(p_storage, i_storage, bundle_id) { +allow_storage_source(p_storage, i_storage, bundle_id) if { print("allow_storage_source 3: start") p_storage.driver == "overlayfs"