kata.kata-runtime: drop OCI version check from policy

Signed-off-by: Paul Meyer <[email protected]>
edgelesssys · Dec 6, 2024 · 0b64089 · 0b64089
1 parent 7bacd11
commit 0b64089
Show file tree

Hide file tree

Showing 6 changed files with 41 additions and 44 deletions.
diff --git a/packages/by-name/kata/kata-runtime/0007-genpolicy-rules-remove-check-for-OCI-version.patch b/packages/by-name/kata/kata-runtime/0007-genpolicy-rules-remove-check-for-OCI-version.patch
@@ -0,0 +1,24 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Paul Meyer <[email protected]>
+Date: Fri, 6 Dec 2024 15:16:45 +0100
+Subject: [PATCH] genpolicy/rules: remove check for OCI version
+
+Signed-off-by: Paul Meyer <[email protected]>
+---
+ src/tools/genpolicy/rules.rego | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
+index 6ddcd18cd1334dfabeadd1b0e7a54c723c7cae4d..c8de30897a01a0de49b99587c7e12ef534c353bc 100644
+--- a/src/tools/genpolicy/rules.rego
++++ b/src/tools/genpolicy/rules.rego
+@@ -71,9 +71,6 @@ CreateContainerRequest {
+
+     p_oci := p_container.OCI
+
+-    print("CreateContainerRequest: p Version =", p_oci.Version, "i Version =", i_oci.Version)
+-    p_oci.Version == i_oci.Version
+-
+     print("CreateContainerRequest: p Readonly =", p_oci.Root.Readonly, "i Readonly =", i_oci.Root.Readonly)
+     p_oci.Root.Readonly == i_oci.Root.Readonly
+
diff --git a/packages/by-name/kata/kata-runtime/0007-genpolicy-settings-bump-OCI-version.patch b/packages/by-name/kata/kata-runtime/0007-genpolicy-settings-bump-OCI-version.patch
diff --git a/...by-name/kata/kata-runtime/0008-genpolicy-settings-change-cpath-for-Nydus-guest-pull.patch b/...by-name/kata/kata-runtime/0008-genpolicy-settings-change-cpath-for-Nydus-guest-pull.patch
@@ -10,7 +10,7 @@ https://github.com/kata-containers/kata-containers/blob/775f6bd/tests/integratio
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json
-index fcafa46cc3b62b74aa5ba08fdbd76fa3370ae77e..4e9f6481d649fc45716f182c394f38059792eb91 100644
+index e50d5e545e3fe42db486771345310d4c2157be2f..d2d1511ae75d56c4f39915515343b2cd20d9d65a 100644
 --- a/src/tools/genpolicy/genpolicy-settings.json
 +++ b/src/tools/genpolicy/genpolicy-settings.json
 @@ -243,7 +243,7 @@

diff --git a/packages/by-name/kata/kata-runtime/0009-genpolicy-allow-image_guest_pull.patch b/packages/by-name/kata/kata-runtime/0009-genpolicy-allow-image_guest_pull.patch
@@ -26,7 +26,7 @@ don't even bother handling that case.
  create mode 100644 src/tools/genpolicy/tests/testdata/createcontainer/guest_pull/testcases.json
 
 diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json
-index 4e9f6481d649fc45716f182c394f38059792eb91..e3b36a6555a646ffefc7733c807d6b0da9967dea 100644
+index d2d1511ae75d56c4f39915515343b2cd20d9d65a..ef20413eacc029d4fcb0b1d2f538a13314a25670 100644
 --- a/src/tools/genpolicy/genpolicy-settings.json
 +++ b/src/tools/genpolicy/genpolicy-settings.json
 @@ -148,7 +148,7 @@
@@ -39,10 +39,10 @@ index 4e9f6481d649fc45716f182c394f38059792eb91..e3b36a6555a646ffefc7733c807d6b0d
              "source": "local",
              "fstype": "local",
 diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
-index 6ddcd18cd1334dfabeadd1b0e7a54c723c7cae4d..44af45437f550877652c33019f42b0b29fdcfbdb 100644
+index c8de30897a01a0de49b99587c7e12ef534c353bc..b9cf357508e632b2d64a5332a3c4e7a6442852de 100644
 --- a/src/tools/genpolicy/rules.rego
 +++ b/src/tools/genpolicy/rules.rego
-@@ -80,7 +80,7 @@ CreateContainerRequest {
+@@ -77,7 +77,7 @@ CreateContainerRequest {
      allow_anno(p_oci, i_oci)
 
      p_storages := p_container.storages
@@ -51,7 +51,7 @@ index 6ddcd18cd1334dfabeadd1b0e7a54c723c7cae4d..44af45437f550877652c33019f42b0b2
 
      p_devices := p_container.devices
      allow_devices(p_devices, i_devices)
-@@ -160,47 +160,48 @@ allow_anno_key(i_key, p_oci) {
+@@ -157,47 +157,48 @@ allow_anno_key(i_key, p_oci) {
 
  # Get the value of the "io.kubernetes.cri.sandbox-name" annotation and
  # correlate it with other annotations and process fields.
@@ -108,7 +108,7 @@ index 6ddcd18cd1334dfabeadd1b0e7a54c723c7cae4d..44af45437f550877652c33019f42b0b2
      allow_process(p_oci, i_oci, s_name)
 
      print("allow_by_sandbox_name: true")
-@@ -506,11 +507,12 @@ allow_linux_sysctl(p_linux, i_linux) {
+@@ -503,11 +504,12 @@ allow_linux_sysctl(p_linux, i_linux) {
 
  # Check the consistency of the input "io.katacontainers.pkg.oci.bundle_path"
  # and io.kubernetes.cri.sandbox-id" values with other fields.
@@ -122,7 +122,7 @@ index 6ddcd18cd1334dfabeadd1b0e7a54c723c7cae4d..44af45437f550877652c33019f42b0b2
      p_regex := p_oci.Annotations[key]
      sandbox_id := i_oci.Annotations[key]
 
-@@ -530,8 +532,7 @@ allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) {
+@@ -527,8 +529,7 @@ allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) {
          allow_mount(p_oci, i_mount, bundle_id, sandbox_id)
      }
 
@@ -132,7 +132,7 @@ index 6ddcd18cd1334dfabeadd1b0e7a54c723c7cae4d..44af45437f550877652c33019f42b0b2
 
      print("allow_by_bundle_or_sandbox_id: true")
  }
-@@ -829,30 +830,109 @@ mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) {
+@@ -826,30 +827,109 @@ mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) {
  ######################################################################
  # Create container Storages
 

diff --git a/...es/by-name/kata/kata-runtime/0012-genpolicy-support-mount-propagation-and-ro-mounts.patch b/...es/by-name/kata/kata-runtime/0012-genpolicy-support-mount-propagation-and-ro-mounts.patch
@@ -9,10 +9,10 @@ Subject: [PATCH] genpolicy: support mount propagation and ro-mounts
  2 files changed, 9 insertions(+), 2 deletions(-)
 
 diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
-index 44af45437f550877652c33019f42b0b29fdcfbdb..823e5e76d55bac47ad9c79d8916f92702efa316d 100644
+index b9cf357508e632b2d64a5332a3c4e7a6442852de..6cabea53a52c2e0b9b52a086d166613d3440d5c4 100644
 --- a/src/tools/genpolicy/rules.rego
 +++ b/src/tools/genpolicy/rules.rego
-@@ -105,7 +105,8 @@ allow_create_container_input {
+@@ -102,7 +102,8 @@ allow_create_container_input {
      count(i_linux.GIDMappings) == 0
      count(i_linux.MountLabel) == 0
      count(i_linux.Resources.Devices) == 0

diff --git a/packages/by-name/kata/kata-runtime/package.nix b/packages/by-name/kata/kata-runtime/package.nix
@@ -53,10 +53,13 @@ buildGoModule rec {
       # Contrast specific layer-src-prefix, also applied to microsoft.kata-runtime.
       # TODO(burgerdev): discuss relaxing the checks for host paths with Kata maintainers.
       ./0006-genpolicy-regex-check-contrast-specific-layer-src-pr.patch
-      # Kata hard-codes OCI version 1.1.0, but latest K3S has 1.2.0.
-      # TODO(burgerdev): discuss relaxing the OCI version checks with Kata maintainers.
-      # TODO(burgerdev): move to genpolicy-settings patches
-      ./0007-genpolicy-settings-bump-OCI-version.patch
+      # An attacker can set any OCI version they like, so we can't rely on it.
+      # The policy must be secure no matter what OCI version is communicated.
+      # TODO(kateoxchen): upstream. See https://github.com/kata-containers/kata-containers/issues/10632.
+      # TODO(katexochen): Additional security measures should be taken to ensure the OCI
+      # version is the same well use to create the container and the policy covers all the
+      # fields of the spec.
+      ./0007-genpolicy-rules-remove-check-for-OCI-version.patch
       # Nydus uses a different base dir for container rootfs,
       # see https://github.com/kata-containers/kata-containers/blob/775f6bd/tests/integration/kubernetes/tests_common.sh#L139.
       # TODO(burgerdev): discuss the discrepancy and path forward with Kata maintainers.