diff --git a/packages/by-name/kata/kata-runtime/0007-genpolicy-rules-remove-check-for-OCI-version.patch b/packages/by-name/kata/kata-runtime/0007-genpolicy-rules-remove-check-for-OCI-version.patch new file mode 100644 index 000000000..b7052cda3 --- /dev/null +++ b/packages/by-name/kata/kata-runtime/0007-genpolicy-rules-remove-check-for-OCI-version.patch @@ -0,0 +1,24 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Paul Meyer <49727155+katexochen@users.noreply.github.com> +Date: Fri, 6 Dec 2024 15:16:45 +0100 +Subject: [PATCH] genpolicy/rules: remove check for OCI version + +Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> +--- + src/tools/genpolicy/rules.rego | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego +index 6ddcd18cd1334dfabeadd1b0e7a54c723c7cae4d..c8de30897a01a0de49b99587c7e12ef534c353bc 100644 +--- a/src/tools/genpolicy/rules.rego ++++ b/src/tools/genpolicy/rules.rego +@@ -71,9 +71,6 @@ CreateContainerRequest { + + p_oci := p_container.OCI + +- print("CreateContainerRequest: p Version =", p_oci.Version, "i Version =", i_oci.Version) +- p_oci.Version == i_oci.Version +- + print("CreateContainerRequest: p Readonly =", p_oci.Root.Readonly, "i Readonly =", i_oci.Root.Readonly) + p_oci.Root.Readonly == i_oci.Root.Readonly + diff --git a/packages/by-name/kata/kata-runtime/0007-genpolicy-settings-bump-OCI-version.patch b/packages/by-name/kata/kata-runtime/0007-genpolicy-settings-bump-OCI-version.patch deleted file mode 100644 index b1dbf4c31..000000000 --- a/packages/by-name/kata/kata-runtime/0007-genpolicy-settings-bump-OCI-version.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Markus Rudy -Date: Wed, 24 Jul 2024 11:16:37 +0200 -Subject: [PATCH] genpolicy-settings: bump OCI version - -Kata hard-codes OCI version 1.1.0, but latest K3S has 1.2.0. ---- - src/tools/genpolicy/genpolicy-settings.json | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json -index e50d5e545e3fe42db486771345310d4c2157be2f..fcafa46cc3b62b74aa5ba08fdbd76fa3370ae77e 100644 ---- a/src/tools/genpolicy/genpolicy-settings.json -+++ b/src/tools/genpolicy/genpolicy-settings.json -@@ -312,7 +312,7 @@ - }, - "kata_config": { - "confidential_guest": false, -- "oci_version": "1.1.0" -+ "oci_version": "1.2.0" - }, - "cluster_config": { - "default_namespace": "default", -@@ -348,4 +348,4 @@ - "UpdateEphemeralMountsRequest": false, - "WriteStreamRequest": false - } --} -\ No newline at end of file -+} diff --git a/packages/by-name/kata/kata-runtime/0008-genpolicy-settings-change-cpath-for-Nydus-guest-pull.patch b/packages/by-name/kata/kata-runtime/0008-genpolicy-settings-change-cpath-for-Nydus-guest-pull.patch index 1b2a2f104..e0176763d 100644 --- a/packages/by-name/kata/kata-runtime/0008-genpolicy-settings-change-cpath-for-Nydus-guest-pull.patch +++ b/packages/by-name/kata/kata-runtime/0008-genpolicy-settings-change-cpath-for-Nydus-guest-pull.patch @@ -10,7 +10,7 @@ https://github.com/kata-containers/kata-containers/blob/775f6bd/tests/integratio 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json -index fcafa46cc3b62b74aa5ba08fdbd76fa3370ae77e..4e9f6481d649fc45716f182c394f38059792eb91 100644 +index e50d5e545e3fe42db486771345310d4c2157be2f..d2d1511ae75d56c4f39915515343b2cd20d9d65a 100644 --- a/src/tools/genpolicy/genpolicy-settings.json +++ b/src/tools/genpolicy/genpolicy-settings.json @@ -243,7 +243,7 @@ diff --git a/packages/by-name/kata/kata-runtime/0009-genpolicy-allow-image_guest_pull.patch b/packages/by-name/kata/kata-runtime/0009-genpolicy-allow-image_guest_pull.patch index 5060d3259..c3536db09 100644 --- a/packages/by-name/kata/kata-runtime/0009-genpolicy-allow-image_guest_pull.patch +++ b/packages/by-name/kata/kata-runtime/0009-genpolicy-allow-image_guest_pull.patch @@ -26,7 +26,7 @@ don't even bother handling that case. create mode 100644 src/tools/genpolicy/tests/testdata/createcontainer/guest_pull/testcases.json diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json -index 4e9f6481d649fc45716f182c394f38059792eb91..e3b36a6555a646ffefc7733c807d6b0da9967dea 100644 +index d2d1511ae75d56c4f39915515343b2cd20d9d65a..ef20413eacc029d4fcb0b1d2f538a13314a25670 100644 --- a/src/tools/genpolicy/genpolicy-settings.json +++ b/src/tools/genpolicy/genpolicy-settings.json @@ -148,7 +148,7 @@ @@ -39,10 +39,10 @@ index 4e9f6481d649fc45716f182c394f38059792eb91..e3b36a6555a646ffefc7733c807d6b0d "source": "local", "fstype": "local", diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego -index 6ddcd18cd1334dfabeadd1b0e7a54c723c7cae4d..44af45437f550877652c33019f42b0b29fdcfbdb 100644 +index c8de30897a01a0de49b99587c7e12ef534c353bc..b9cf357508e632b2d64a5332a3c4e7a6442852de 100644 --- a/src/tools/genpolicy/rules.rego +++ b/src/tools/genpolicy/rules.rego -@@ -80,7 +80,7 @@ CreateContainerRequest { +@@ -77,7 +77,7 @@ CreateContainerRequest { allow_anno(p_oci, i_oci) p_storages := p_container.storages @@ -51,7 +51,7 @@ index 6ddcd18cd1334dfabeadd1b0e7a54c723c7cae4d..44af45437f550877652c33019f42b0b2 p_devices := p_container.devices allow_devices(p_devices, i_devices) -@@ -160,47 +160,48 @@ allow_anno_key(i_key, p_oci) { +@@ -157,47 +157,48 @@ allow_anno_key(i_key, p_oci) { # Get the value of the "io.kubernetes.cri.sandbox-name" annotation and # correlate it with other annotations and process fields. @@ -108,7 +108,7 @@ index 6ddcd18cd1334dfabeadd1b0e7a54c723c7cae4d..44af45437f550877652c33019f42b0b2 allow_process(p_oci, i_oci, s_name) print("allow_by_sandbox_name: true") -@@ -506,11 +507,12 @@ allow_linux_sysctl(p_linux, i_linux) { +@@ -503,11 +504,12 @@ allow_linux_sysctl(p_linux, i_linux) { # Check the consistency of the input "io.katacontainers.pkg.oci.bundle_path" # and io.kubernetes.cri.sandbox-id" values with other fields. @@ -122,7 +122,7 @@ index 6ddcd18cd1334dfabeadd1b0e7a54c723c7cae4d..44af45437f550877652c33019f42b0b2 p_regex := p_oci.Annotations[key] sandbox_id := i_oci.Annotations[key] -@@ -530,8 +532,7 @@ allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) { +@@ -527,8 +529,7 @@ allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) { allow_mount(p_oci, i_mount, bundle_id, sandbox_id) } @@ -132,7 +132,7 @@ index 6ddcd18cd1334dfabeadd1b0e7a54c723c7cae4d..44af45437f550877652c33019f42b0b2 print("allow_by_bundle_or_sandbox_id: true") } -@@ -829,30 +830,109 @@ mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) { +@@ -826,30 +827,109 @@ mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) { ###################################################################### # Create container Storages diff --git a/packages/by-name/kata/kata-runtime/0012-genpolicy-support-mount-propagation-and-ro-mounts.patch b/packages/by-name/kata/kata-runtime/0012-genpolicy-support-mount-propagation-and-ro-mounts.patch index 85efbd904..094e8e4f8 100644 --- a/packages/by-name/kata/kata-runtime/0012-genpolicy-support-mount-propagation-and-ro-mounts.patch +++ b/packages/by-name/kata/kata-runtime/0012-genpolicy-support-mount-propagation-and-ro-mounts.patch @@ -9,10 +9,10 @@ Subject: [PATCH] genpolicy: support mount propagation and ro-mounts 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego -index 44af45437f550877652c33019f42b0b29fdcfbdb..823e5e76d55bac47ad9c79d8916f92702efa316d 100644 +index b9cf357508e632b2d64a5332a3c4e7a6442852de..6cabea53a52c2e0b9b52a086d166613d3440d5c4 100644 --- a/src/tools/genpolicy/rules.rego +++ b/src/tools/genpolicy/rules.rego -@@ -105,7 +105,8 @@ allow_create_container_input { +@@ -102,7 +102,8 @@ allow_create_container_input { count(i_linux.GIDMappings) == 0 count(i_linux.MountLabel) == 0 count(i_linux.Resources.Devices) == 0 diff --git a/packages/by-name/kata/kata-runtime/package.nix b/packages/by-name/kata/kata-runtime/package.nix index 087d0aa27..834ea32bb 100644 --- a/packages/by-name/kata/kata-runtime/package.nix +++ b/packages/by-name/kata/kata-runtime/package.nix @@ -53,10 +53,13 @@ buildGoModule rec { # Contrast specific layer-src-prefix, also applied to microsoft.kata-runtime. # TODO(burgerdev): discuss relaxing the checks for host paths with Kata maintainers. ./0006-genpolicy-regex-check-contrast-specific-layer-src-pr.patch - # Kata hard-codes OCI version 1.1.0, but latest K3S has 1.2.0. - # TODO(burgerdev): discuss relaxing the OCI version checks with Kata maintainers. - # TODO(burgerdev): move to genpolicy-settings patches - ./0007-genpolicy-settings-bump-OCI-version.patch + # An attacker can set any OCI version they like, so we can't rely on it. + # The policy must be secure no matter what OCI version is communicated. + # TODO(kateoxchen): upstream. See https://github.com/kata-containers/kata-containers/issues/10632. + # TODO(katexochen): Additional security measures should be taken to ensure the OCI + # version is the same well use to create the container and the policy covers all the + # fields of the spec. + ./0007-genpolicy-rules-remove-check-for-OCI-version.patch # Nydus uses a different base dir for container rootfs, # see https://github.com/kata-containers/kata-containers/blob/775f6bd/tests/integration/kubernetes/tests_common.sh#L139. # TODO(burgerdev): discuss the discrepancy and path forward with Kata maintainers.