Commit Graph

528 Commits

Author SHA1 Message Date
stevenhorsman
ffbaa793a3 versions: Update crossbeam-channel
Update all crossbeam-channel for all non-agent
packages (it was done separately in #11175)
to 0.5.15 to get them on latest version and remove
the versions with a vulnerability

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-04-30 19:36:40 +01:00
Aurélien Bombo
46af7cf817 Merge pull request #11077 from microsoft/cameronbaird/address-gid-mismatch
genpolicy: Align GID behavior with CRI and enable GID policy checks.
2025-04-29 22:23:23 +01:00
dependabot[bot]
2992a279ab build(deps): bump tokio from 1.38.0 to 1.44.2 in /src/tools/runk
Bumps [tokio](https://github.com/tokio-rs/tokio) from 1.38.0 to 1.44.2.
- [Release notes](https://github.com/tokio-rs/tokio/releases)
- [Commits](https://github.com/tokio-rs/tokio/compare/tokio-1.38.0...tokio-1.44.2)

---
updated-dependencies:
- dependency-name: tokio
  dependency-version: 1.44.2
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-04-29 12:14:41 +00:00
stevenhorsman
bcffe938ca versions: Bump golang.org/x/net
Bump golang.org/x/net to 0.38.0 as dependabot
isn't doing it for these packages to remediate
CVE-2025-22872

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-04-29 09:46:48 +01:00
Cameron Baird
70ef0376fb genpolicy: Introduce special handling for clusters using nydus
Nydus+guest_pull has specific behavior where it improperly handles image layers on
the host, causing the CRI to not find /etc/passwd and /etc/group files
on container images which have them. The unfortunately causes different
outcomes w.r.t. GID used which we are trying to enforce with policy.

This behavior is observed/explained in https://github.com/kata-containers/kata-containers/issues/11162

Handle this exception with a config.settings.cluster_config.guest_pull
field. When this is true, simply ignore the /etc/* files in the
container image as they will not be parsed by the CRI.

Signed-off-by: Cameron Baird <cameronbaird@microsoft.com>
2025-04-28 20:18:42 +00:00
Cameron Baird
d3b652014a genpolicy: Introduce genpolicy tests for security contexts
Add security context testcases for genpolicy, verifying that UID and GID
configurations controlled by the kubernetes security context are
enforced.

Also, fix the other CreateContainerRequest tests' expected contents to
reflect our new genpolicy parsing/enforcement of GIDs.

Signed-off-by: Cameron Baird <cameronbaird@microsoft.com>
2025-04-28 16:28:31 +00:00
Cameron Baird
938ddeaf1e genpolicy: Enable GID checks in rules.rego
With fixes to align policy GID parsing with the CRI behavior, we can now
enable policy verification of GIDs.

Signed-off-by: Cameron Baird <cameronbaird@microsoft.com>
2025-04-28 16:28:31 +00:00
Cameron Baird
eb2c7f4150 genpolicy: Integrate /etc/passwd from OCI container when setting GIDs
The GID used for the running process in an OCI container is a function of
1. The securityContext.runAsGroup specified in a pod yaml, 2. The UID:GID mapping in
/etc/passwd, if present in the container image layers, 3. Zero, even if
the userstr specifies a GID.

Make our policy engine align with this behavior by:
1. At the registry level, always obtain the GID from the /etc/passwd
   file if present. Ignore GIDs specified in the userstr encoded in the
OCI container.
2. After an update to UID due to securityContexts, perform one final check against
   the /etc/passwd file if present. The GID used for the running
process is the mapping in this file from UID->GID.
3. Override everything above with the GID of the securityContext
   configuration if provided

Signed-off-by: Cameron Baird <cameronbaird@microsoft.com>
2025-04-28 16:28:31 +00:00
Cameron Baird
c13d7796ee genpolicy: Parse secContext runAsGroup and allowPrivilegeEscalation
Our policy should cover these fields for securityContexts at the pod or
container level of granularity.

Signed-off-by: Cameron Baird <cameronbaird@microsoft.com>
2025-04-28 16:28:31 +00:00
Cameron Baird
349ce8c339 genpolicy: Refactor registry user/group parsing to account for all cases
The get_process logic in registry.rs did not account for all cases
(username:groupname), did not defer to contents of /etc/group,
/etc/passwd when it should, and was difficult to read.

Clean this implementation up, factoring the string parsing for
user/group strings into their own functions. Enable the
registry::Container class to query /etc/passwd and /etc/group, if they
exist.

Signed-off-by: Cameron Baird <cameronbaird@microsoft.com>
2025-04-28 16:28:29 +00:00
stevenhorsman
c938c75af0 versions: kata-ctl: Bump rustls
Bump rustls version to > 0.21.11 to remediate
high severity CVE-2024-32650

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-04-28 14:55:59 +01:00
stevenhorsman
2ee7ef6aa3 versions: agent-ctl: Bump hashbrown
Bump hashbrown to >= 0.15.1 to remediate the high severity
security alert that was in v0.15.0

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-04-28 14:55:46 +01:00
stevenhorsman
e3d3a2843f versions: Bump mio to at least 0.8.11
Ensure that all the versions of mio we use are at
least 0.8.11 to remediate CVE-2024-27308

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-04-28 14:55:46 +01:00
stevenhorsman
c37840ce80 versions: Bump golang version
Bump golang version to the latest minor 1.23.x release
now that 1.24 has been released and 1.22.x is no longer
stable and receiving security fixes

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-04-23 12:37:48 +01:00
Sumedh Sharma
2a17628591 genpolicy: Add container_id & related policy container data to state.
This commit adds changes to add input container_id and related
container data to state after a CreateContainerRequest is allowed. This
helps constrain reference container data for evaluating request
inputs to one instead of matching against every policy container data,
Ex: in ExecProcessRequest inputs.

Fixes #11109

Signed-off-by: Sumedh Sharma <sumsharma@microsoft.com>
2025-04-15 14:02:59 +05:30
Ankita Pareek
7e450bc1c2 policy: Add missing input validations for ExecProcessRequest
This commit introduces missing validations for input fields in ExecProcessRequest to
harden the security policy.

The changes include:
- Update rules.rego to add null/empty field enforcements for String_user, SelinuxLabel and ApparmorProfile
- Add unit test cases for ExecProcessRequest for each of the validations

Signed-off-by: Ankita Pareek <ankitapareek@microsoft.com>
2025-04-03 12:53:59 +00:00
Saul Paredes
ae5c587efc Merge pull request #11074 from Sumynwa/sumsharma/genpolicy_test
genpolicy: Refactor tests to allow different request types in a testcases json.
2025-03-25 12:38:19 -07:00
Sumedh Sharma
3406df9133 genpolicy: Refactor tests to add different request types in testcases json
This commit introduces changes to add test data for multiple request
type in a single testcases.json file. This allows for stateful testing,
for ex: enable testing ExecProcessRequest using policy state set after testing
a CreateContainerRequest.

Fixes #11073.

Signed-off-by: Sumedh Sharma <sumsharma@microsoft.com>
2025-03-25 13:52:17 +05:30
Dan Mihai
15c9035254 genpolicy: add support for BUILD_TYPE=debug
Use "cargo build --release" when BUILD_TYPE was not specified, or when
BUILD_TYPE=release. The default "cargo build" behavior is to build in
debug mode.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-03-24 16:10:20 +00:00
Aurélien Bombo
26bd7989b3 csi-kata-directvolume: Remove replace in go.mod
Running `go mod tidy` and `go mod vendor` after this resulted in no-ops.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-03-14 18:00:36 +00:00
Saul Paredes
b7087eb0ea Merge pull request #10983 from microsoft/cameronbaird/updateinterfacerequest-hardening-upstream
genpolicy: Introduce UpdateInterfaceRequest rules in genpolicy-settings
2025-03-13 16:12:03 -07:00
Dan Mihai
b910daf625 Merge pull request #11012 from microsoft/saulparedes/validate_generated_name_upstr
policy: validate pod generated name
2025-03-13 14:09:57 -07:00
Cameron Baird
bceffd5ff6 genpolicy: Introduce UpdateInterfaceRequest rules in genpolicy-settings
Introduce rules for UpdateInterfaceRequest and genpolicy tests for them.

Signed-off-by: Cameron Baird <cameronbaird@microsoft.com>
2025-03-13 17:30:01 +00:00
Saul Paredes
7a5db51c80 policy: validate pod generated name
Validate sandbox name using a regex. If the YAML specifies metadata.name, use a regex that exact matches.
If the YAML specifies metadata.generateName, use a regex that matches the prefix of the generated name.

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2025-03-13 09:49:57 -07:00
Cameron Baird
cf129f3744 genpolicy: Introduce UpdateRoutesRequest rules in genpolicy-settings
Introduce rule to block routes from source addresses which are the
loopback. Block routes added to the lo device.

Signed-off-by: Cameron Baird <cameronbaird@microsoft.com>
2025-03-12 19:03:57 +00:00
Fabiano Fidêncio
6e236fd44c Merge pull request #10652 from burgerdev/sysctls
genpolicy: support sysctls from PodSpec and environment defaults
2025-02-27 08:25:14 +01:00
Dan Mihai
cb382e1367 Merge pull request #10925 from katexochen/p/fail-on-layer-pull
genpolicy: fail when layer can't be processed
2025-02-26 13:28:38 -08:00
Markus Rudy
70709455ef genpolicy: support sysctl settings
Sysctls may be added to a container by the Kubernetes pod definition or
by containerd configuration. This commit adds support for the
corresponding PodSecurityContext field and an option to specify
environment-dependent sysctls in the settings file.

The sysctls requested in a CreateContainerRequest are checked against
the sysctls in the pod definition, or if not defined there in the
defaults in genpolicy-settings.json. There is no check for the presence
of expected sysctls, though, because Kubernetes might legitimately
omit unsafe syscalls itself and because default sysctls might not apply
to all containers.

Fixes: #10064
Signed-off-by: Markus Rudy <mr@edgeless.systems>
2025-02-26 18:56:17 +01:00
Markus Rudy
d58f38dfab genpolicy: add get_process_fields to CronJob
This function was accidentally left unimplemented for CronJob, resulting
in runAsUser not being supported there.

Fixes: #10653
Signed-off-by: Markus Rudy <mr@edgeless.systems>
2025-02-26 09:00:04 +01:00
Paul Meyer
9981cdd8a8 genpolicy: fail when layer can't be processed
Currently, if a layer can't be processed, we log this a warning and
continue execution, finally exit with a zero exit code. This can lead
to the generation of invalid policies. One reason a layer might not be
processed is that the pull of that layer fails.

We need all layers to be processed successfully to generate a valid
policy, as otherwise we will miss the verity hash for that layer or
we might miss the USER information from a passwd stored in that layer.
This will cause our VM to not get through the agent's policy validation.

Returning an error instead of printing a warning will cause genpolicy
to fail in such cases.

Signed-off-by: Paul Meyer <katexochen0@gmail.com>
2025-02-26 08:30:59 +01:00
Ruoqing He
265a751837 build: Drop redundant ARCH override
There are many `override ARCH = powerpc64le` after where `utils.mk` is
included, which are redundant.

Drop those redundant `override`s.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-02-24 22:04:28 +08:00
Markus Rudy
67fbad5f37 genpolicy: bump oci-distribution to v0.12.0
This picks up a security fix for confidential pulling of unsigned
images.

The crate moved permanently to oci-client, which required a few import
changes.

Co-authored-by: Paul Meyer <katexochen0@gmail.com>
Signed-off-by: Markus Rudy <mr@edgeless.systems>
2025-02-18 16:32:00 +01:00
Leonard Cohnen
ec0af6fbda policy: check the linux network namespace
Peer pods have a linux namespace of type network. We want to make sure that all
container in the same pod use the same namespace. Therefore, we add the first
namespace path to the state and check all other requests against that.

This commit also adds the corresponding integration test in the policy crate
showcasing the benefit of having rust integration tests for the policy.

Signed-off-by: Leonard Cohnen <lc@edgeless.systems>
2025-02-12 10:41:15 +01:00
Leonard Cohnen
7aca7a6671 policy: use agent policy crate in genpolicy test
The generated rego policies for `CreateContainerRequest` are stateful and that
state is handled in the policy crate. We use this policy crate in the
genpolicy integration test to be able to test if those state changes are
handled correctly without spinning up an agent or even a cluster.

This also allows to easily test on a e.g., CreateContainerRequest level
instead of relying on changing the yaml that is applied to a cluster.

Signed-off-by: Leonard Cohnen <lc@edgeless.systems>
2025-02-12 10:41:15 +01:00
Leonard Cohnen
d03738a757 genpolicy: expose create as library
This commit allows to programmatically invoke genpolicy. This allows for other
rust tools that don't want to consume genpolicy as binary to generate policies.
One such use-case is the policy integration test implemented in the following
commits.

Signed-off-by: Leonard Cohnen <lc@edgeless.systems>
2025-02-12 10:41:15 +01:00
stevenhorsman
d3e0ecc394 kata-ctl: Allow empty const
Due to the way that multi-arch support is done, on various platforms
we will get a clippy error:
```
error: this expression always evaluates to false
```
which might not be true on those other platforms, so
allow this code pattern to suppress the clippy error

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-06 08:53:51 +00:00
stevenhorsman
17b1e94f1a cargo: Update time crate
So it avoids us hitting
```
error[E0282]: type annotations needed for `Box<_>`
  --> /home/runner/.cargo/registry/src/index.crates.io-6f17d22bba15001f/time-0.3.31/src/format_description/parse/mod.rs:83:9
   |
83 |     let items = format_items
   |         ^^^^^
...
86 |     Ok(items.into())
   |              ---- type must be known at this point
   |
help: consider giving `items` an explicit type, where the placeholders `_` are specified
   |
83 |     let items: Box<_> = format_items
   |              ++++++++
```

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 15:16:47 +00:00
stevenhorsman
1ac0e67245 kata-ctl: Add stub of missing method for ppc
`host_is_vmcontainer_capable` is required, but wasn't
implemented for powerpc64, so copy the aarch64 approach
@Amulyam24

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 15:16:47 +00:00
stevenhorsman
bd3c93713f kata-sys-util: Complete code move
In #7236 the guest protection code was moved to kata-sys-utils,
but some of it was left behind, and the adjustment to the new
location wasn't completed, so the powerpc64 code doesn't
build now we've fixed the cfg to test it.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 15:16:47 +00:00
stevenhorsman
9f865f5bad kata-ctl: Allow dead_code
Some of the Kernel structs have `#[allow(dead_code)]`
but not all and this results in the clippy error:
```
 error: fields `name` and `value` are never read
 ```
 so complete the job started before to remove the error.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 14:45:02 +00:00
stevenhorsman
225c7fc026 kata-ctl: Allow unused enum field
Clippy errors with:
```
error: field `0` is never read
```
but the field is required for the `map_err`, so ignore this
error for now to avoid too much disruption

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 14:45:01 +00:00
Fabiano Fidêncio
b4de302cb2 genpolicy: Adjust to build with rust 1.80.0
```
error: field `image` is never read
  --> src/registry.rs:35:9
   |
34 | pub struct Container {
   |            --------- field in this struct
35 |     pub image: String,
   |         ^^^^^
   |
   = note: `Container` has derived impls for the traits `Debug` and `Clone`, but these are intentionally ignored during dead code analysis
   = note: `-D dead-code` implied by `-D warnings`
   = help: to override `-D warnings` add `#[allow(dead_code)]`

error: field `use_cache` is never read
   --> src/utils.rs:106:9
    |
105 | pub struct Config {
    |            ------ field in this struct
106 |     pub use_cache: bool,
    |         ^^^^^^^^^
    |
    = note: `Config` has derived impls for the traits `Debug` and `Clone`, but these are intentionally ignored during dead code analysis

error: could not compile `genpolicy` (bin "genpolicy") due to 2 previous errors
```

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 14:45:01 +00:00
stevenhorsman
099b241702 powerpc64: Add target_endian = "little"
Based on comments from @Amulyam24 we need to use
the `target_endian = "little"` as well as target_arch = "powerpc64"
to ensure we are working on powerpc64le.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 14:45:01 +00:00
stevenhorsman
4c006c707a build: Fix powerpc64le target_arch
Starting with version 1.80, the Rust linter does not accept an invalid
value for `target_arch` in configuration checks:

```
   Compiling kata-sys-util v0.1.0 (/home/ddd/Work/kata/kata-containers/src/libs/kata-sys-util)
error: unexpected `cfg` condition value: `powerpc64le`

  --> /home/ddd/Work/kata/kata-containers/src/libs/kata-sys-util/src/protection.rs:17:34
   |
17 | #[cfg(any(target_arch = "s390x", target_arch = "powerpc64le"))]
   |                                  ^^^^^^^^^^^^^^-------------
   |                                                |
   |                                                help: there is a expected value with a similar name: `"powerpc64"`
   |
   = note: expected values for `target_arch` are: `aarch64`, `arm`, `arm64ec`, `avr`, `bpf`, `csky`, `hexagon`, `loongarch64`, `m68k`, `mips`, `mips32r6`, `mips64`, `mips64r6`, `msp430`, `nvptx64`, `powerpc`, `powerpc64`, `riscv32`, `riscv64`, `s390x`, `sparc`, `sparc64`, `wasm32`, `wasm64`, `x86`, and `x86_64`
   = note: see <https://doc.rust-lang.org/nightly/rustc/check-cfg/cargo-specifics.html> for more information about checking conditional configuration
   = note: `-D unexpected-cfgs` implied by `-D warnings`
   = help: to override `-D warnings` add `#[allow(unexpected_cfgs)]`
```

According [to GitHub user @Urgau][explain], this is a new warning
introduced in Rust 1.80, but the problem exists before. The correct
architecture name should be `powerpc64`, and the differentiation
between `powerpc64le` and `powerpc64` should use the `target_endian =
"little"` check.

[explain]: #10072 (comment)

Fixes: #10067

Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
[emlima: fix some more occurences and typos]
Signed-off-by: Emanuel Lima <emlima@redhat.com>
[stevenhorsman: fix some more occurences and typos]
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-02-05 14:20:47 +00:00
dependabot[bot]
df5eafd2a1 build(deps): bump github.com/golang/glog
Bumps the go_modules group with 1 update in the /src/tools/csi-kata-directvolume directory: [github.com/golang/glog](https://github.com/golang/glog).


Updates `github.com/golang/glog` from 1.2.0 to 1.2.4
- [Release notes](https://github.com/golang/glog/releases)
- [Commits](https://github.com/golang/glog/compare/v1.2.0...v1.2.4)

---
updated-dependencies:
- dependency-name: github.com/golang/glog
  dependency-type: direct:production
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-01-28 17:38:14 +00:00
dependabot[bot]
d2cb14cdbc build(deps): bump the go_modules group across 3 directories with 1 update
Bumps the go_modules group with 1 update in the /src/runtime directory: [golang.org/x/net](https://github.com/golang/net).
Bumps the go_modules group with 1 update in the /src/tools/csi-kata-directvolume directory: [golang.org/x/net](https://github.com/golang/net).
Bumps the go_modules group with 1 update in the /tools/testing/kata-webhook directory: [golang.org/x/net](https://github.com/golang/net).


Updates `golang.org/x/net` from 0.25.0 to 0.33.0
- [Commits](https://github.com/golang/net/compare/v0.25.0...v0.33.0)

Updates `golang.org/x/net` from 0.23.0 to 0.33.0
- [Commits](https://github.com/golang/net/compare/v0.25.0...v0.33.0)

Updates `golang.org/x/net` from 0.23.0 to 0.33.0
- [Commits](https://github.com/golang/net/compare/v0.25.0...v0.33.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: indirect
  dependency-group: go_modules
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  dependency-group: go_modules
- dependency-name: golang.org/x/net
  dependency-type: indirect
  dependency-group: go_modules
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-01-23 10:18:22 +00:00
Fabiano Fidêncio
a8678a7794 deps: Update ttrpc to v0.8.4
Update the ttrpc crate to include the fix from Moritz Sanft, which
solves the connectivity issues with 6.12.x kernels*

*: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v6.12.9&id=3257813a3ae7462ac5cde04e120806f0c0776850

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-01-22 13:05:43 +01:00
Hui Zhu
d15a7baedd kata-ctl: direct-volume: Auto create KATA_DIRECT_VOLUME_ROOT_PATH
Got following issue:
kata-ctl direct-volume add /kubelet/kata-direct-vol-002/directvol002
"{\"device\": \"/home/t4/teawater/coco/t.img\", \"volume-type\":
\"directvol\", \"fstype\": \"\", \"metadata\":"{}", \"options\": []}"
subsystem: kata-ctl_main
 Dec 30 09:43:41.150 ERRO Os {
    code: 2,
    kind: NotFound,
    message: "No such file or directory",
}
The reason is KATA_DIRECT_VOLUME_ROOT_PATH is not exist.

This commit create_dir_all KATA_DIRECT_VOLUME_ROOT_PATH before join_path
to handle this issue.

Fixes: #10695

Signed-off-by: Hui Zhu <teawater@antgroup.com>
2024-12-30 17:55:49 +08:00
Fupan Li
2068801b80 Merge pull request #10626 from teawater/ma
Add mem-agent to kata
2024-12-24 14:11:36 +08:00
Liu Bo
95fc585103 kata-ctl: fix outdated comments
MgmnClient can also tolerate short sandbox id.

Signed-off-by: Liu Bo <liub.liubo@gmail.com>
2024-12-12 21:59:54 -08:00