fixup! kata.kata-runtime: genpolicy patches for secure guest-pull

packages/by-name/kata/kata-runtime/0001-govmm-Directly-pass-the-firwmare-using-bios-with-SNP.patch

@@ -1,4 +1,4 @@
-From 8c29ac76e104c0f9f021c005e6d24fcb0b0a09af Mon Sep 17 00:00:00 2001
+From 786d23a72425fb55d1ba043f1a64026abea266e1 Mon Sep 17 00:00:00 2001
 From: Tom Dohrmann <[email protected]>
 Date: Fri, 5 Jul 2024 08:43:13 +0000
 Subject: [PATCH 01/13] govmm: Directly pass the firwmare using -bios with SNP
@@ -24,5 +24,5 @@ index 47322c803..6b2b6b02d 100644
  		objectParams = append(objectParams, string(object.Type))
  		objectParams = append(objectParams, fmt.Sprintf("id=%s", object.ID))
 -- 
-2.45.2
+2.46.0
 

packages/by-name/kata/kata-runtime/0002-emulate-CPU-model-that-most-closely-matches-the-host.patch

@@ -1,4 +1,4 @@
-From 514b6a6d74fd2e8fcd7e488ac58736e7f1396e89 Mon Sep 17 00:00:00 2001
+From 1831c429d985b5f17a76e0943d345b0f87707100 Mon Sep 17 00:00:00 2001
 From: Tom Dohrmann <[email protected]>
 Date: Mon, 8 Jul 2024 07:35:54 +0000
 Subject: [PATCH 02/13] emulate CPU model that most closely matches the host
@@ -36,5 +36,5 @@ index 1d1be1711..6ebee26ce 100644
  	}
 
 -- 
-2.45.2
+2.46.0
 

packages/by-name/kata/kata-runtime/0003-runtime-agent-verify-the-agent-policy-hash.patch

@@ -1,4 +1,4 @@
-From 468e1971a1b3bcf3ebfbb53a9c928a06cba112ed Mon Sep 17 00:00:00 2001
+From 4aa73d29ed5300bb530483e29c03c7cd4cb2f342 Mon Sep 17 00:00:00 2001
 From: Tom Dohrmann <[email protected]>
 Date: Mon, 8 Jul 2024 07:51:20 +0000
 Subject: [PATCH 03/13] runtime: agent: verify the agent policy hash
@@ -1287,5 +1287,5 @@ index b58daccaa..af35af12e 100644
  	spec := s.GetPatchedOCISpec()
  	if spec != nil && spec.Process.SelinuxLabel != "" {
 -- 
-2.45.2
+2.46.0
 

packages/by-name/kata/kata-runtime/0004-virtcontainers-allow-specifying-nydus-overlayfs-bina.patch

@@ -1,4 +1,4 @@
-From 6ba8c62e39c9da54347ef5fe668bc25a4f3b3078 Mon Sep 17 00:00:00 2001
+From 01134399f6e2f8a1a106dfd51fbeb3dcd0478442 Mon Sep 17 00:00:00 2001
 From: Paul Meyer <[email protected]>
 Date: Fri, 9 Aug 2024 11:06:04 +0200
 Subject: [PATCH 04/13] virtcontainers: allow specifying nydus-overlayfs binary
@@ -179,5 +179,5 @@ index be76a93a6..a809bb018 100644
  			} else {
  				errors = merr.Append(errors, bindUnmountContainerRootfs(ctx, sharedDir, c.id))
 -- 
-2.45.2
+2.46.0
 

packages/by-name/kata/kata-runtime/0005-genpolicy-deny-UpdateEphemeralMountsRequest.patch

@@ -1,23 +1,20 @@
-From a72dc578428a828a8b03ae58a2c87a6565a2776b Mon Sep 17 00:00:00 2001
-From: Markus Rudy <[email protected]>
-Date: Fri, 19 Jul 2024 11:08:19 +0200
+From 3c4c4d9b8dfeec7acf57685672b2da2911331117 Mon Sep 17 00:00:00 2001
+From: Dan Mihai <[email protected]>
+Date: Tue, 19 Dec 2023 09:54:55 -0800
 Subject: [PATCH 05/13] genpolicy: deny UpdateEphemeralMountsRequest
 
-The UpdateEphemeralMountsRequest is triggered by memory hotplug events,
-which are not supported for TEEs. Denying this request by default
-spares us the implementation of fine-grained target checks. The default
-can still be overridden with the settings file.
+* genpolicy: deny UpdateEphemeralMountsRequest
 
-Signed-off-by: Markus Rudy <[email protected]>
+Deny UpdateEphemeralMountsRequest by default, because paths to
+critical Guest components can be redirected using such request.
 
-NOTE: Upstream has corresponding
-https://github.com/kata-containers/kata-containers/pull/9911, but it's
-blocked by CI.
+Signed-off-by: Dan Mihai <[email protected]>
 ---
- src/tools/genpolicy/genpolicy-settings.json | 1 +
- src/tools/genpolicy/rules.rego              | 6 +++++-
- src/tools/genpolicy/src/policy.rs           | 3 +++
- 3 files changed, 9 insertions(+), 1 deletion(-)
+ src/tools/genpolicy/genpolicy-settings.json  |  1 +
+ src/tools/genpolicy/rules.rego               |  6 +++++-
+ src/tools/genpolicy/src/policy.rs            |  3 +++
+ tests/integration/kubernetes/tests_common.sh | 14 ++++++++++++++
+ 4 files changed, 23 insertions(+), 1 deletion(-)
 
 diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json
 index 95972de77..b8b321f36 100644
@@ -70,6 +67,38 @@ index 026010ea2..9402e87ed 100644
      /// Allow Host writing to Guest containers stdin.
      pub WriteStreamRequest: bool,
  }
+diff --git a/tests/integration/kubernetes/tests_common.sh b/tests/integration/kubernetes/tests_common.sh
+index c88b4adec..192bc637b 100644
+--- a/tests/integration/kubernetes/tests_common.sh
++++ b/tests/integration/kubernetes/tests_common.sh
+@@ -153,6 +153,14 @@ adapt_common_policy_settings_for_sev() {
+ 	jq '.kata_config.oci_version = "1.1.0-rc.1" | .common.cpath = "/run/kata-containers" | .volumes.configMap.mount_point = "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-"' "${settings_dir}/genpolicy-settings.json" > temp.json && sudo mv temp.json "${settings_dir}/genpolicy-settings.json"
+ }
+
++# adapt common policy settings for CBL-Mariner https://github.com/kata-containers/kata-containers/issues/10189
++adapt_common_policy_settings_for_cbl_mariner() {
++	local settings_dir=$1
++
++	info "Adapting common policy settings for CBL-Mariner"
++	jq '.request_defaults.UpdateEphemeralMountsRequest = true' "${settings_dir}/genpolicy-settings.json" > temp.json && sudo mv temp.json "${settings_dir}/genpolicy-settings.json"
++}
++
+ # adapt common policy settings for various platforms
+ adapt_common_policy_settings() {
+
+@@ -166,6 +174,12 @@ adapt_common_policy_settings() {
+ 			adapt_common_policy_settings_for_sev "${settings_dir}"
+ 			;;
+ 	esac
++
++	case "${KATA_HOST_OS}" in
++		"cbl-mariner")
++			adapt_common_policy_settings_for_cbl_mariner "${settings_dir}"
++			;;
++	esac
+ }
+
+ # If auto-generated policy testing is enabled, make a copy of the genpolicy settings,
 -- 
-2.45.2
+2.46.0
 

packages/by-name/kata/kata-runtime/0006-genpolicy-validate-create-sandbox-storages.patch

@@ -1,4 +1,4 @@
-From 7ba5925d487f180f85f6b9cf76f68709d372fee7 Mon Sep 17 00:00:00 2001
+From a0ed8e5860afccf3c336d294c20e222fd1356b4d Mon Sep 17 00:00:00 2001
 From: Dan Mihai <[email protected]>
 Date: Thu, 4 Jan 2024 22:28:24 +0000
 Subject: [PATCH 06/13] genpolicy: validate create sandbox storages
@@ -7,9 +7,6 @@ Reject any unexpected values from the CreateSandboxRequest storages
 field.
 
 Signed-off-by: Dan Mihai <[email protected]>
-
-NOTE: this prevents virtio-fs storage and thus works only with tardev-
-or nydus-snapshotter.
 ---
  src/tools/genpolicy/genpolicy-settings.json | 19 ++++++++++++++++
  src/tools/genpolicy/rules.rego              | 25 ++++++++++++++++++++-
@@ -146,5 +143,5 @@ index 949f6ad27..b7f0515d1 100644
 
  /// Volume settings loaded from genpolicy-settings.json.
 -- 
-2.45.2
+2.46.0
 

packages/by-name/kata/kata-runtime/0007-genpolicy-enable-sysctl-checks.patch

@@ -1,16 +1,19 @@
-From 8c07b679e7f1884db969cb7b746474f6e02f2244 Mon Sep 17 00:00:00 2001
+From e57f503ef752c74fcb252e969180887e3be2ab1d Mon Sep 17 00:00:00 2001
 From: Markus Rudy <[email protected]>
 Date: Wed, 24 Jul 2024 09:48:48 +0200
 Subject: [PATCH 07/13] genpolicy: enable sysctl checks
 
-NOTE: fixes https://github.com/kata-containers/kata-containers/issues/10064
+Sysctls may be added to a container by the Kubernetes pod definition or
+by containerd configuration. This commit adds support for the
+corresponding PodSpec field and an option to specify
+environment-dependent sysctls in the settings file.
 ---
  src/tools/genpolicy/genpolicy-settings.json | 10 ++++++++++
- src/tools/genpolicy/rules.rego              | 17 +++++++++++++++-
+ src/tools/genpolicy/rules.rego              | 17 ++++++++++++++++-
  src/tools/genpolicy/src/containerd.rs       |  4 ++++
- src/tools/genpolicy/src/pod.rs              | 22 +++++++++++++++++++++
- src/tools/genpolicy/src/policy.rs           | 12 +++++++++++
- 5 files changed, 64 insertions(+), 1 deletion(-)
+ src/tools/genpolicy/src/pod.rs              | 20 ++++++++++++++++++++
+ src/tools/genpolicy/src/policy.rs           | 10 ++++++++++
+ 5 files changed, 60 insertions(+), 1 deletion(-)
 
 diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json
 index fe1625bac..e50d5e545 100644
@@ -112,7 +115,7 @@ index 075fced5b..2922ea0ab 100644
      }
  }
 diff --git a/src/tools/genpolicy/src/pod.rs b/src/tools/genpolicy/src/pod.rs
-index 4fda02916..ef5dece58 100644
+index 4fda02916..25a320f4a 100644
 --- a/src/tools/genpolicy/src/pod.rs
 +++ b/src/tools/genpolicy/src/pod.rs
 @@ -21,6 +21,7 @@ use log::{debug, warn};
@@ -147,24 +150,22 @@ index 4fda02916..ef5dece58 100644
  /// See Reference / Kubernetes API / Workload Resources / Pod.
  #[derive(Clone, Debug, Serialize, Deserialize)]
  struct PodSecurityContext {
-@@ -696,6 +707,16 @@ impl Container {
+@@ -696,6 +707,14 @@ impl Container {
 
          commands
      }
 +
 +    pub fn apply_sysctls(&self, sysctls: &mut HashMap<String, String>) {
 +        if let Some(securityContext) = &self.securityContext {
 +            if let Some(container_sysctls) = &securityContext.sysctls {
-+                for sysctl in container_sysctls {
-+                    sysctls.insert(sysctl.name.clone(), sysctl.value.clone());
-+                }
++                sysctls.extend(container_sysctls.iter().map(|el| (el.name.clone(), el.value.clone())));
 +            }
 +        }
 +    }
  }
 
  impl EnvFromSource {
-@@ -996,6 +1017,7 @@ pub async fn add_pause_container(containers: &mut Vec<Container>, config: &Confi
+@@ -996,6 +1015,7 @@ pub async fn add_pause_container(containers: &mut Vec<Container>, config: &Confi
              capabilities: None,
              runAsUser: None,
              seccompProfile: None,
@@ -173,7 +174,7 @@ index 4fda02916..ef5dece58 100644
          ..Default::default()
      };
 diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs
-index 973643e1f..fb1e92388 100644
+index 973643e1f..adbdf97f3 100644
 --- a/src/tools/genpolicy/src/policy.rs
 +++ b/src/tools/genpolicy/src/policy.rs
 @@ -27,6 +27,7 @@ use serde_yaml::Value;
@@ -205,18 +206,16 @@ index 973643e1f..fb1e92388 100644
  }
 
  /// OCI container LinuxNamespace struct. This struct is similar to the LinuxNamespace
-@@ -616,6 +623,11 @@ impl AgentPolicy {
+@@ -616,6 +623,9 @@ impl AgentPolicy {
              linux.Devices.push(default_device.clone())
          }
 
-+        for (k, v) in &c_settings.Linux.Sysctl {
-+            linux.Sysctl.insert(k.clone(), v.clone());
-+        }
++        linux.Sysctl.extend(c_settings.Linux.Sysctl.clone());
 +        yaml_container.apply_sysctls(&mut linux.Sysctl);
 +
          ContainerPolicy {
              OCI: KataSpec {
                  Version: self.config.settings.kata_config.oci_version.clone(),
 -- 
-2.45.2
+2.46.0
 

packages/by-name/kata/kata-runtime/0008-genpolicy-read-bundle-id-from-rootfs.patch

@@ -1,8 +1,13 @@
-From 793527d84d379f9a7d84499f769cc6e74ed5bb6c Mon Sep 17 00:00:00 2001
+From de0458b25d94625aa9429b9dc73609be49ae477c Mon Sep 17 00:00:00 2001
 From: Markus Rudy <[email protected]>
 Date: Wed, 24 Jul 2024 09:51:57 +0200
 Subject: [PATCH 08/13] genpolicy: read bundle-id from rootfs
 
+The host path of bundles is not portable and could be literally anything
+depending on containerd configuration, so we can't rely on a specific
+prefix when deriving the bundle-id. Instead, we derive the bundle-id
+from the target root path in the guest.
+
 NOTE: fixes https://github.com/kata-containers/kata-containers/issues/10065
 ---
  src/tools/genpolicy/rules.rego | 29 ++++++++---------------------
@@ -63,5 +68,5 @@ index 9f0355634..f9ff50e22 100644
  allow_mount(p_oci, i_mount, bundle_id, sandbox_id) {
      print("allow_mount: i_mount =", i_mount)
 -- 
-2.45.2
+2.46.0
 

packages/by-name/kata/kata-runtime/0009-genpolicy-harden-args-and-env.patch

@@ -1,10 +1,15 @@
-From 169ef67c287cb5b6bf71918da8800e88c4fa4873 Mon Sep 17 00:00:00 2001
+From f9a94397703b1e6504052c5b2cce84f40dc98da2 Mon Sep 17 00:00:00 2001
 From: Markus Rudy <[email protected]>
 Date: Fri, 2 Aug 2024 15:37:38 +0200
 Subject: [PATCH 09/13] genpolicy: harden args and env
 
-NOTE: This fixes an unpublished issue with env and path from downward
-API.
+Some downward API values can't be checked against reference values:
+* Node name
+* Pod name (in the case of controllers)
+* UIDs
+
+This commit adds basic sanity checks for these values to make use in
+environment variables more safe (e.g. against command injection).
 ---
  src/tools/genpolicy/rules.rego                |  22 +-
  src/tools/genpolicy/tests/main.rs             |   7 +-
@@ -954,5 +959,5 @@ index 000000000..4ca01fb34
 +  }
 +]
 -- 
-2.45.2
+2.46.0
 

packages/by-name/kata/kata-runtime/0010-genpolicy-regex-check-contrast-specific-layer-src-pr.patch

@@ -1,4 +1,4 @@
-From 9081fb86ae71d75da3be4f9457897ea70ac89bdd Mon Sep 17 00:00:00 2001
+From 0be96f1d5e1102496c53ef48c09e52a42d67f627 Mon Sep 17 00:00:00 2001
 From: Paul Meyer <[email protected]>
 Date: Thu, 11 Jul 2024 12:05:00 +0200
 Subject: [PATCH 10/13] genpolicy: regex check contrast specific
@@ -23,5 +23,5 @@ index d8a37124e..b64ff7b3b 100644
      print("allow_storage_options 2: i_storage.options[i_count - 2] =", i_storage.options[i_count - 2])
      i_storage.options[i_count - 2] == "io.katacontainers.fs-opt.overlay-rw"
 -- 
-2.45.2
+2.46.0
 

packages/by-name/kata/kata-runtime/0011-genpolicy-settings-bump-OCI-version.patch

@@ -1,9 +1,9 @@
-From 1f20c78a5b1cef2cff4e0c8a64437c1297d28faa Mon Sep 17 00:00:00 2001
+From 74a899fedd43135130136a3a1abe950bd8c7426a Mon Sep 17 00:00:00 2001
 From: Markus Rudy <[email protected]>
 Date: Wed, 24 Jul 2024 11:16:37 +0200
 Subject: [PATCH 11/13] genpolicy-settings: bump OCI version
 
-NOTE: Kata hard-codes OCI version 1.1.0, but latest K3S has 1.2.0.
+Kata hard-codes OCI version 1.1.0, but latest K3S has 1.2.0.
 ---
  src/tools/genpolicy/genpolicy-settings.json | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
@@ -29,5 +29,5 @@ index e50d5e545..fcafa46cc 100644
 \ No newline at end of file
 +}
 -- 
-2.45.2
+2.46.0
 

packages/by-name/kata/kata-runtime/0012-genpolicy-settings-change-cpath-for-Nydus-guest-pull.patch

@@ -1,9 +1,9 @@
-From 4fd2477cb681a43cce2153aa7861125f44103dc3 Mon Sep 17 00:00:00 2001
+From f2d00f6bcd6e4b6546a51ec60c5643a27c4df4e8 Mon Sep 17 00:00:00 2001
 From: Markus Rudy <[email protected]>
 Date: Mon, 12 Aug 2024 14:18:43 +0200
 Subject: [PATCH 12/13] genpolicy-settings: change cpath for Nydus guest pull
 
-NOTE: Nydus uses a different base dir for container rootfs, see
+Nydus uses a different base dir for container rootfs, see
 https://github.com/kata-containers/kata-containers/blob/775f6bd/tests/integration/kubernetes/tests_common.sh#L139
 ---
  src/tools/genpolicy/genpolicy-settings.json | 2 +-
@@ -23,5 +23,5 @@ index fcafa46cc..4e9f6481d 100644
          "sfprefix": "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-",
          "ip_p": "[0-9]{1,5}",
 -- 
-2.45.2
+2.46.0