genpolicy: add test for volumeMounts

This patch: - adds a count check on mounts - adds various test scenarios for mounts with emptyDir volume source Signed-off-by: Archana Choudhary <archana1@microsoft.com>
2026-05-14 02:53:02 +00:00 · 2025-04-02 09:42:30 +00:00
parent 713cbb0c62
commit fb815b77c1
4 changed files with 1412 additions and 9 deletions
--- a/src/tools/genpolicy/rules.rego
+++ b/src/tools/genpolicy/rules.rego
@@ -633,9 +633,11 @@ allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) {

    allow_root_path(p_oci, i_oci, bundle_id)

-    every i_mount in input.OCI.Mounts {
-        allow_mount(p_oci, i_mount, bundle_id, sandbox_id)
-    }
+    # Match each input mount with a Policy mount.
+    # Reject possible attempts to match multiple input mounts with a single Policy mount.
+    p_matches := { p_index | some i_index; p_index = allow_mount(p_oci, input.OCI.Mounts[i_index], bundle_id, sandbox_id) }
+
+    count(p_matches) == count(input.OCI.Mounts)

    # TODO: enable allow_storages() after fixing https://github.com/kata-containers/kata-containers/issues/8833
    # allow_storages(p_storages, i_storages, bundle_id, sandbox_id)
@@ -900,17 +902,15 @@ allow_root_path(p_oci, i_oci, bundle_id) {
 }

 # device mounts
-allow_mount(p_oci, i_mount, bundle_id, sandbox_id) {
+# allow_mount returns the policy index (p_index) if a given input mount matches a policy mount.
+allow_mount(p_oci, i_mount, bundle_id, sandbox_id):= p_index {
    print("allow_mount: i_mount =", i_mount)

-    some p_mount in p_oci.Mounts
+    p_mount := p_oci.Mounts[p_index]
    print("allow_mount: p_mount =", p_mount)
    check_mount(p_mount, i_mount, bundle_id, sandbox_id)

-    # TODO: are there any other required policy checks for mounts - e.g.,
-    #       multiple mounts with same source or destination?
-
-    print("allow_mount: true")
+    print("allow_mount: true, p_index =", p_index)
 }

 check_mount(p_mount, i_mount, bundle_id, sandbox_id) {
--- a/src/tools/genpolicy/tests/main.rs
+++ b/src/tools/genpolicy/tests/main.rs
@@ -190,4 +190,9 @@ mod tests {
    async fn test_exec_process() {
        runtests("execprocess").await;
    }
+
+    #[tokio::test]
+    async fn test_create_container_mounts() {
+        runtests("createcontainer/volumes/emptydir").await;
+    }
 }
--- a/src/tools/genpolicy/tests/testdata/createcontainer/volumes/emptydir/pod.yaml
+++ b/src/tools/genpolicy/tests/testdata/createcontainer/volumes/emptydir/pod.yaml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: dummy
+spec:
+  runtimeClassName: kata-cc-isolation
+  containers:
+  - name: dummy
+    image: registry.k8s.io/pause:3.6@sha256:3d380ca8864549e74af4b29c10f9cb0956236dfb01c40ca076fb6c37253234db
+    volumeMounts:
+    - mountPath: /mnt/test
+      name: test-volume
+    - mountPath: /mnt/test2
+      name: test-volume
+      mountPropagation: Bidirectional
+    - mountPath: /mnt/test3
+      name: test-volume
+      readOnly: true
+    - mountPath: /mnt/test4
+      name: test-volume2
+  volumes:
+  - name: test-volume
+    emptyDir: {}
+  - name: test-volume2
+    emptyDir: {}
--- a/src/tools/genpolicy/tests/testdata/createcontainer/volumes/emptydir/testcases.json
+++ b/src/tools/genpolicy/tests/testdata/createcontainer/volumes/emptydir/testcases.json