From 535cf04edb749052696c6409f62f1a40c92742a8 Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Thu, 25 Jan 2024 01:43:10 +0000 Subject: [PATCH] genpolicy: add shareProcessNamespace support Validate the sandbox_pidns field value for CreateSandbox and CreateContainer. Fixes: #8868 Signed-off-by: Dan Mihai --- src/tools/genpolicy/rules.rego | 15 ++++++++++++++- src/tools/genpolicy/src/config_map.rs | 4 ++++ src/tools/genpolicy/src/daemon_set.rs | 7 +++++++ src/tools/genpolicy/src/deployment.rs | 7 +++++++ src/tools/genpolicy/src/job.rs | 7 +++++++ src/tools/genpolicy/src/list.rs | 4 ++++ src/tools/genpolicy/src/no_policy.rs | 4 ++++ src/tools/genpolicy/src/pod.rs | 10 ++++++++++ src/tools/genpolicy/src/policy.rs | 9 +++++++++ src/tools/genpolicy/src/replica_set.rs | 7 +++++++ src/tools/genpolicy/src/replication_controller.rs | 7 +++++++ src/tools/genpolicy/src/secret.rs | 4 ++++ src/tools/genpolicy/src/stateful_set.rs | 7 +++++++ src/tools/genpolicy/src/yaml.rs | 1 + 14 files changed, 92 insertions(+), 1 deletion(-) diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego index 99de8aea8b..75be33f594 100644 --- a/src/tools/genpolicy/rules.rego +++ b/src/tools/genpolicy/rules.rego @@ -45,8 +45,12 @@ CreateContainerRequest { some p_container in policy_data.containers print("======== CreateContainerRequest: trying next policy container") + p_pidns := p_container.sandbox_pidns + i_pidns := input.sandbox_pidns + print("CreateContainerRequest: p_pidns =", p_pidns, "i_pidns =", i_pidns) + p_pidns == i_pidns + p_oci := p_container.OCI - p_storages := p_container.storages print("CreateContainerRequest: p Version =", p_oci.Version, "i Version =", i_oci.Version) p_oci.Version == i_oci.Version @@ -55,7 +59,10 @@ CreateContainerRequest { p_oci.Root.Readonly == i_oci.Root.Readonly allow_anno(p_oci, i_oci) + + p_storages := p_container.storages allow_by_anno(p_oci, i_oci, p_storages, i_storages) + allow_linux(p_oci, i_oci) print("CreateContainerRequest: true") @@ -1076,6 +1083,12 @@ CopyFileRequest { print("CopyFileRequest: true") } +CreateSandboxRequest { + i_pidns := input.sandbox_pidns + print("CreateSandboxRequest: i_pidns =", i_pidns) + i_pidns == false +} + ExecProcessRequest { print("ExecProcessRequest 1: input =", input) diff --git a/src/tools/genpolicy/src/config_map.rs b/src/tools/genpolicy/src/config_map.rs index a6f2fa0e38..5f50ac1f31 100644 --- a/src/tools/genpolicy/src/config_map.rs +++ b/src/tools/genpolicy/src/config_map.rs @@ -125,4 +125,8 @@ impl yaml::K8sResource for ConfigMap { fn use_host_network(&self) -> bool { panic!("Unsupported"); } + + fn use_sandbox_pidns(&self) -> bool { + panic!("Unsupported"); + } } diff --git a/src/tools/genpolicy/src/daemon_set.rs b/src/tools/genpolicy/src/daemon_set.rs index aa19b12fbf..16b1a3c22e 100644 --- a/src/tools/genpolicy/src/daemon_set.rs +++ b/src/tools/genpolicy/src/daemon_set.rs @@ -129,4 +129,11 @@ impl yaml::K8sResource for DaemonSet { } false } + + fn use_sandbox_pidns(&self) -> bool { + if let Some(shared) = self.spec.template.spec.shareProcessNamespace { + return shared; + } + false + } } diff --git a/src/tools/genpolicy/src/deployment.rs b/src/tools/genpolicy/src/deployment.rs index 397d1344d1..17a97d5862 100644 --- a/src/tools/genpolicy/src/deployment.rs +++ b/src/tools/genpolicy/src/deployment.rs @@ -127,4 +127,11 @@ impl yaml::K8sResource for Deployment { } false } + + fn use_sandbox_pidns(&self) -> bool { + if let Some(shared) = self.spec.template.spec.shareProcessNamespace { + return shared; + } + false + } } diff --git a/src/tools/genpolicy/src/job.rs b/src/tools/genpolicy/src/job.rs index 8bda6c8b5f..497b02865c 100644 --- a/src/tools/genpolicy/src/job.rs +++ b/src/tools/genpolicy/src/job.rs @@ -101,4 +101,11 @@ impl yaml::K8sResource for Job { } false } + + fn use_sandbox_pidns(&self) -> bool { + if let Some(shared) = self.spec.template.spec.shareProcessNamespace { + return shared; + } + false + } } diff --git a/src/tools/genpolicy/src/list.rs b/src/tools/genpolicy/src/list.rs index 7b84c1e0e6..fcf25a4885 100644 --- a/src/tools/genpolicy/src/list.rs +++ b/src/tools/genpolicy/src/list.rs @@ -100,4 +100,8 @@ impl yaml::K8sResource for List { fn use_host_network(&self) -> bool { panic!("Unsupported"); } + + fn use_sandbox_pidns(&self) -> bool { + panic!("Unsupported"); + } } diff --git a/src/tools/genpolicy/src/no_policy.rs b/src/tools/genpolicy/src/no_policy.rs index 6c70d10397..729c873e59 100644 --- a/src/tools/genpolicy/src/no_policy.rs +++ b/src/tools/genpolicy/src/no_policy.rs @@ -67,4 +67,8 @@ impl yaml::K8sResource for NoPolicyResource { fn use_host_network(&self) -> bool { panic!("Unsupported"); } + + fn use_sandbox_pidns(&self) -> bool { + panic!("Unsupported"); + } } diff --git a/src/tools/genpolicy/src/pod.rs b/src/tools/genpolicy/src/pod.rs index b85b7b9829..2066f94aa9 100644 --- a/src/tools/genpolicy/src/pod.rs +++ b/src/tools/genpolicy/src/pod.rs @@ -77,6 +77,9 @@ pub struct PodSpec { #[serde(skip_serializing_if = "Option::is_none")] pub hostNetwork: Option, + #[serde(skip_serializing_if = "Option::is_none")] + pub shareProcessNamespace: Option, + #[serde(skip_serializing_if = "Option::is_none")] dnsConfig: Option, @@ -737,6 +740,13 @@ impl yaml::K8sResource for Pod { } false } + + fn use_sandbox_pidns(&self) -> bool { + if let Some(shared) = self.spec.shareProcessNamespace { + return shared; + } + false + } } impl Container { diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs index 8ee5967e4c..0cc6fa0f64 100644 --- a/src/tools/genpolicy/src/policy.rs +++ b/src/tools/genpolicy/src/policy.rs @@ -256,6 +256,9 @@ pub struct ContainerPolicy { /// Data compared with req.storages for CreateContainerRequest calls. storages: Vec, + /// Data compared with req.sandbox_pidns for CreateContainerRequest calls. + sandbox_pidns: bool, + /// Allow list of ommand lines that are allowed to be executed using /// ExecProcessRequest. By default, all ExecProcessRequest calls are blocked /// by the policy. @@ -518,6 +521,11 @@ impl AgentPolicy { linux.ReadonlyPaths = c_settings.Linux.ReadonlyPaths.clone(); } + let sandbox_pidns = if is_pause_container { + false + } else { + resource.use_sandbox_pidns() + }; let exec_commands = yaml_container.get_exec_commands(); ContainerPolicy { @@ -531,6 +539,7 @@ impl AgentPolicy { Linux: linux, }, storages, + sandbox_pidns, exec_commands, } } diff --git a/src/tools/genpolicy/src/replica_set.rs b/src/tools/genpolicy/src/replica_set.rs index a038273d1c..d653f050a0 100644 --- a/src/tools/genpolicy/src/replica_set.rs +++ b/src/tools/genpolicy/src/replica_set.rs @@ -99,4 +99,11 @@ impl yaml::K8sResource for ReplicaSet { } false } + + fn use_sandbox_pidns(&self) -> bool { + if let Some(shared) = self.spec.template.spec.shareProcessNamespace { + return shared; + } + false + } } diff --git a/src/tools/genpolicy/src/replication_controller.rs b/src/tools/genpolicy/src/replication_controller.rs index a519c63620..a69219c138 100644 --- a/src/tools/genpolicy/src/replication_controller.rs +++ b/src/tools/genpolicy/src/replication_controller.rs @@ -101,4 +101,11 @@ impl yaml::K8sResource for ReplicationController { } false } + + fn use_sandbox_pidns(&self) -> bool { + if let Some(shared) = self.spec.template.spec.shareProcessNamespace { + return shared; + } + false + } } diff --git a/src/tools/genpolicy/src/secret.rs b/src/tools/genpolicy/src/secret.rs index 1e8dba8d5a..a56566de3b 100644 --- a/src/tools/genpolicy/src/secret.rs +++ b/src/tools/genpolicy/src/secret.rs @@ -111,4 +111,8 @@ impl yaml::K8sResource for Secret { fn use_host_network(&self) -> bool { panic!("Unsupported"); } + + fn use_sandbox_pidns(&self) -> bool { + panic!("Unsupported"); + } } diff --git a/src/tools/genpolicy/src/stateful_set.rs b/src/tools/genpolicy/src/stateful_set.rs index 9a31c29fa5..908686f939 100644 --- a/src/tools/genpolicy/src/stateful_set.rs +++ b/src/tools/genpolicy/src/stateful_set.rs @@ -174,6 +174,13 @@ impl yaml::K8sResource for StatefulSet { } false } + + fn use_sandbox_pidns(&self) -> bool { + if let Some(shared) = self.spec.template.spec.shareProcessNamespace { + return shared; + } + false + } } impl StatefulSet { diff --git a/src/tools/genpolicy/src/yaml.rs b/src/tools/genpolicy/src/yaml.rs index b1f38c57b3..5884833ff9 100644 --- a/src/tools/genpolicy/src/yaml.rs +++ b/src/tools/genpolicy/src/yaml.rs @@ -65,6 +65,7 @@ pub trait K8sResource { fn get_containers(&self) -> &Vec; fn get_annotations(&self) -> &Option>; fn use_host_network(&self) -> bool; + fn use_sandbox_pidns(&self) -> bool; } /// See Reference / Kubernetes API / Common Definitions / LabelSelector.