From eeb3d1384bd3ae42c28a45c998ee578e58a1c0d4 Mon Sep 17 00:00:00 2001
From: Markus Rudy <mr@edgeless.systems>
Date: Tue, 3 Jun 2025 17:46:40 +0200
Subject: [PATCH] genpolicy: compare additionalGIDs as sets

The additional GIDs are handled by genpolicy as a BTreeSet. This set is
then serialized to an ordered JSON array. On the containerd side, the
GIDs are added to a list in the order they are discovered in /etc/group,
and the main GID of the user is prepended to that list. This means that
we don't have any guarantees that the input GIDs will be sorted. Since
the order does not matter here, comparing the list of GIDs as sets is
close enough.

Signed-off-by: Markus Rudy <mr@edgeless.systems>
---
 src/tools/genpolicy/rules.rego | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
index 6e131f34bd..92778d96b9 100644
--- a/src/tools/genpolicy/rules.rego
+++ b/src/tools/genpolicy/rules.rego
@@ -736,7 +736,7 @@ allow_user(p_process, i_process) {
     p_user.GID == i_user.GID
 
     print("allow_user: input additionalGids =", i_user.AdditionalGids, "policy additionalGids =", p_user.AdditionalGids)
-    p_user.AdditionalGids == i_user.AdditionalGids
+    {e | some e in p_user.AdditionalGids} == {e | some e in i_user.AdditionalGids}
 }
 
 allow_args(p_process, i_process, s_name) {