github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-07-16 16:32:03 +00:00
Code Issues Projects Releases Wiki Activity

genpolicy: compare additionalGIDs as sets

Browse Source 
The additional GIDs are handled by genpolicy as a BTreeSet. This set is
then serialized to an ordered JSON array. On the containerd side, the
GIDs are added to a list in the order they are discovered in /etc/group,
and the main GID of the user is prepended to that list. This means that
we don't have any guarantees that the input GIDs will be sorted. Since
the order does not matter here, comparing the list of GIDs as sets is
close enough.

Signed-off-by: Markus Rudy <mr@edgeless.systems>
This commit is contained in:
Markus Rudy 2025-06-03 17:46:40 +02:00
parent 02ad39ddf1
commit eeb3d1384b
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/tools/genpolicy/rules.rego
View File

@ -736,7 +736,7 @@ allow_user(p_process, i_process) {
p_user.GID == i_user.GID
print("allow_user: input additionalGids =", i_user.AdditionalGids, "policy additionalGids =", p_user.AdditionalGids)
p_user.AdditionalGids == i_user.AdditionalGids
{e | some e in p_user.AdditionalGids} == {e | some e in i_user.AdditionalGids}
}
allow_args(p_process, i_process, s_name) {