diff --git a/packages/by-name/kata/kata-runtime/0001-govmm-Directly-pass-the-firwmare-using-bios-with-SNP.patch b/packages/by-name/kata/kata-runtime/0001-govmm-Directly-pass-the-firwmare-using-bios-with-SNP.patch index f210416bf..fae4a0c2c 100644 --- a/packages/by-name/kata/kata-runtime/0001-govmm-Directly-pass-the-firwmare-using-bios-with-SNP.patch +++ b/packages/by-name/kata/kata-runtime/0001-govmm-Directly-pass-the-firwmare-using-bios-with-SNP.patch @@ -1,4 +1,4 @@ -From 8c29ac76e104c0f9f021c005e6d24fcb0b0a09af Mon Sep 17 00:00:00 2001 +From 786d23a72425fb55d1ba043f1a64026abea266e1 Mon Sep 17 00:00:00 2001 From: Tom Dohrmann Date: Fri, 5 Jul 2024 08:43:13 +0000 Subject: [PATCH 01/13] govmm: Directly pass the firwmare using -bios with SNP @@ -24,5 +24,5 @@ index 47322c803..6b2b6b02d 100644 objectParams = append(objectParams, string(object.Type)) objectParams = append(objectParams, fmt.Sprintf("id=%s", object.ID)) -- -2.45.2 +2.46.0 diff --git a/packages/by-name/kata/kata-runtime/0002-emulate-CPU-model-that-most-closely-matches-the-host.patch b/packages/by-name/kata/kata-runtime/0002-emulate-CPU-model-that-most-closely-matches-the-host.patch index 657a6e5e4..4d1add8cd 100644 --- a/packages/by-name/kata/kata-runtime/0002-emulate-CPU-model-that-most-closely-matches-the-host.patch +++ b/packages/by-name/kata/kata-runtime/0002-emulate-CPU-model-that-most-closely-matches-the-host.patch @@ -1,4 +1,4 @@ -From 514b6a6d74fd2e8fcd7e488ac58736e7f1396e89 Mon Sep 17 00:00:00 2001 +From 1831c429d985b5f17a76e0943d345b0f87707100 Mon Sep 17 00:00:00 2001 From: Tom Dohrmann Date: Mon, 8 Jul 2024 07:35:54 +0000 Subject: [PATCH 02/13] emulate CPU model that most closely matches the host @@ -36,5 +36,5 @@ index 1d1be1711..6ebee26ce 100644 } -- -2.45.2 +2.46.0 diff --git a/packages/by-name/kata/kata-runtime/0003-runtime-agent-verify-the-agent-policy-hash.patch b/packages/by-name/kata/kata-runtime/0003-runtime-agent-verify-the-agent-policy-hash.patch index 8a980e6f3..d2fe1c842 100644 --- a/packages/by-name/kata/kata-runtime/0003-runtime-agent-verify-the-agent-policy-hash.patch +++ b/packages/by-name/kata/kata-runtime/0003-runtime-agent-verify-the-agent-policy-hash.patch @@ -1,4 +1,4 @@ -From 468e1971a1b3bcf3ebfbb53a9c928a06cba112ed Mon Sep 17 00:00:00 2001 +From 4aa73d29ed5300bb530483e29c03c7cd4cb2f342 Mon Sep 17 00:00:00 2001 From: Tom Dohrmann Date: Mon, 8 Jul 2024 07:51:20 +0000 Subject: [PATCH 03/13] runtime: agent: verify the agent policy hash @@ -1287,5 +1287,5 @@ index b58daccaa..af35af12e 100644 spec := s.GetPatchedOCISpec() if spec != nil && spec.Process.SelinuxLabel != "" { -- -2.45.2 +2.46.0 diff --git a/packages/by-name/kata/kata-runtime/0004-virtcontainers-allow-specifying-nydus-overlayfs-bina.patch b/packages/by-name/kata/kata-runtime/0004-virtcontainers-allow-specifying-nydus-overlayfs-bina.patch index a7912f188..a62323ea5 100644 --- a/packages/by-name/kata/kata-runtime/0004-virtcontainers-allow-specifying-nydus-overlayfs-bina.patch +++ b/packages/by-name/kata/kata-runtime/0004-virtcontainers-allow-specifying-nydus-overlayfs-bina.patch @@ -1,4 +1,4 @@ -From 6ba8c62e39c9da54347ef5fe668bc25a4f3b3078 Mon Sep 17 00:00:00 2001 +From 01134399f6e2f8a1a106dfd51fbeb3dcd0478442 Mon Sep 17 00:00:00 2001 From: Paul Meyer <49727155+katexochen@users.noreply.github.com> Date: Fri, 9 Aug 2024 11:06:04 +0200 Subject: [PATCH 04/13] virtcontainers: allow specifying nydus-overlayfs binary @@ -179,5 +179,5 @@ index be76a93a6..a809bb018 100644 } else { errors = merr.Append(errors, bindUnmountContainerRootfs(ctx, sharedDir, c.id)) -- -2.45.2 +2.46.0 diff --git a/packages/by-name/kata/kata-runtime/0005-genpolicy-deny-UpdateEphemeralMountsRequest.patch b/packages/by-name/kata/kata-runtime/0005-genpolicy-deny-UpdateEphemeralMountsRequest.patch index df187b51a..cfc2c804e 100644 --- a/packages/by-name/kata/kata-runtime/0005-genpolicy-deny-UpdateEphemeralMountsRequest.patch +++ b/packages/by-name/kata/kata-runtime/0005-genpolicy-deny-UpdateEphemeralMountsRequest.patch @@ -1,23 +1,20 @@ -From a72dc578428a828a8b03ae58a2c87a6565a2776b Mon Sep 17 00:00:00 2001 -From: Markus Rudy -Date: Fri, 19 Jul 2024 11:08:19 +0200 +From 3c4c4d9b8dfeec7acf57685672b2da2911331117 Mon Sep 17 00:00:00 2001 +From: Dan Mihai +Date: Tue, 19 Dec 2023 09:54:55 -0800 Subject: [PATCH 05/13] genpolicy: deny UpdateEphemeralMountsRequest -The UpdateEphemeralMountsRequest is triggered by memory hotplug events, -which are not supported for TEEs. Denying this request by default -spares us the implementation of fine-grained target checks. The default -can still be overridden with the settings file. +* genpolicy: deny UpdateEphemeralMountsRequest -Signed-off-by: Markus Rudy +Deny UpdateEphemeralMountsRequest by default, because paths to +critical Guest components can be redirected using such request. -NOTE: Upstream has corresponding -https://github.com/kata-containers/kata-containers/pull/9911, but it's -blocked by CI. +Signed-off-by: Dan Mihai --- - src/tools/genpolicy/genpolicy-settings.json | 1 + - src/tools/genpolicy/rules.rego | 6 +++++- - src/tools/genpolicy/src/policy.rs | 3 +++ - 3 files changed, 9 insertions(+), 1 deletion(-) + src/tools/genpolicy/genpolicy-settings.json | 1 + + src/tools/genpolicy/rules.rego | 6 +++++- + src/tools/genpolicy/src/policy.rs | 3 +++ + tests/integration/kubernetes/tests_common.sh | 14 ++++++++++++++ + 4 files changed, 23 insertions(+), 1 deletion(-) diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json index 95972de77..b8b321f36 100644 @@ -70,6 +67,38 @@ index 026010ea2..9402e87ed 100644 /// Allow Host writing to Guest containers stdin. pub WriteStreamRequest: bool, } +diff --git a/tests/integration/kubernetes/tests_common.sh b/tests/integration/kubernetes/tests_common.sh +index c88b4adec..192bc637b 100644 +--- a/tests/integration/kubernetes/tests_common.sh ++++ b/tests/integration/kubernetes/tests_common.sh +@@ -153,6 +153,14 @@ adapt_common_policy_settings_for_sev() { + jq '.kata_config.oci_version = "1.1.0-rc.1" | .common.cpath = "/run/kata-containers" | .volumes.configMap.mount_point = "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-"' "${settings_dir}/genpolicy-settings.json" > temp.json && sudo mv temp.json "${settings_dir}/genpolicy-settings.json" + } + ++# adapt common policy settings for CBL-Mariner https://github.com/kata-containers/kata-containers/issues/10189 ++adapt_common_policy_settings_for_cbl_mariner() { ++ local settings_dir=$1 ++ ++ info "Adapting common policy settings for CBL-Mariner" ++ jq '.request_defaults.UpdateEphemeralMountsRequest = true' "${settings_dir}/genpolicy-settings.json" > temp.json && sudo mv temp.json "${settings_dir}/genpolicy-settings.json" ++} ++ + # adapt common policy settings for various platforms + adapt_common_policy_settings() { + +@@ -166,6 +174,12 @@ adapt_common_policy_settings() { + adapt_common_policy_settings_for_sev "${settings_dir}" + ;; + esac ++ ++ case "${KATA_HOST_OS}" in ++ "cbl-mariner") ++ adapt_common_policy_settings_for_cbl_mariner "${settings_dir}" ++ ;; ++ esac + } + + # If auto-generated policy testing is enabled, make a copy of the genpolicy settings, -- -2.45.2 +2.46.0 diff --git a/packages/by-name/kata/kata-runtime/0006-genpolicy-validate-create-sandbox-storages.patch b/packages/by-name/kata/kata-runtime/0006-genpolicy-validate-create-sandbox-storages.patch index b9e6e83db..1d15ebb4b 100644 --- a/packages/by-name/kata/kata-runtime/0006-genpolicy-validate-create-sandbox-storages.patch +++ b/packages/by-name/kata/kata-runtime/0006-genpolicy-validate-create-sandbox-storages.patch @@ -1,4 +1,4 @@ -From 7ba5925d487f180f85f6b9cf76f68709d372fee7 Mon Sep 17 00:00:00 2001 +From a0ed8e5860afccf3c336d294c20e222fd1356b4d Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Thu, 4 Jan 2024 22:28:24 +0000 Subject: [PATCH 06/13] genpolicy: validate create sandbox storages @@ -7,9 +7,6 @@ Reject any unexpected values from the CreateSandboxRequest storages field. Signed-off-by: Dan Mihai - -NOTE: this prevents virtio-fs storage and thus works only with tardev- -or nydus-snapshotter. --- src/tools/genpolicy/genpolicy-settings.json | 19 ++++++++++++++++ src/tools/genpolicy/rules.rego | 25 ++++++++++++++++++++- @@ -146,5 +143,5 @@ index 949f6ad27..b7f0515d1 100644 /// Volume settings loaded from genpolicy-settings.json. -- -2.45.2 +2.46.0 diff --git a/packages/by-name/kata/kata-runtime/0007-genpolicy-enable-sysctl-checks.patch b/packages/by-name/kata/kata-runtime/0007-genpolicy-enable-sysctl-checks.patch index 53b7961a4..ca22a8394 100644 --- a/packages/by-name/kata/kata-runtime/0007-genpolicy-enable-sysctl-checks.patch +++ b/packages/by-name/kata/kata-runtime/0007-genpolicy-enable-sysctl-checks.patch @@ -1,16 +1,19 @@ -From 8c07b679e7f1884db969cb7b746474f6e02f2244 Mon Sep 17 00:00:00 2001 +From e57f503ef752c74fcb252e969180887e3be2ab1d Mon Sep 17 00:00:00 2001 From: Markus Rudy Date: Wed, 24 Jul 2024 09:48:48 +0200 Subject: [PATCH 07/13] genpolicy: enable sysctl checks -NOTE: fixes https://github.com/kata-containers/kata-containers/issues/10064 +Sysctls may be added to a container by the Kubernetes pod definition or +by containerd configuration. This commit adds support for the +corresponding PodSpec field and an option to specify +environment-dependent sysctls in the settings file. --- src/tools/genpolicy/genpolicy-settings.json | 10 ++++++++++ - src/tools/genpolicy/rules.rego | 17 +++++++++++++++- + src/tools/genpolicy/rules.rego | 17 ++++++++++++++++- src/tools/genpolicy/src/containerd.rs | 4 ++++ - src/tools/genpolicy/src/pod.rs | 22 +++++++++++++++++++++ - src/tools/genpolicy/src/policy.rs | 12 +++++++++++ - 5 files changed, 64 insertions(+), 1 deletion(-) + src/tools/genpolicy/src/pod.rs | 20 ++++++++++++++++++++ + src/tools/genpolicy/src/policy.rs | 10 ++++++++++ + 5 files changed, 60 insertions(+), 1 deletion(-) diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json index fe1625bac..e50d5e545 100644 @@ -112,7 +115,7 @@ index 075fced5b..2922ea0ab 100644 } } diff --git a/src/tools/genpolicy/src/pod.rs b/src/tools/genpolicy/src/pod.rs -index 4fda02916..ef5dece58 100644 +index 4fda02916..25a320f4a 100644 --- a/src/tools/genpolicy/src/pod.rs +++ b/src/tools/genpolicy/src/pod.rs @@ -21,6 +21,7 @@ use log::{debug, warn}; @@ -147,7 +150,7 @@ index 4fda02916..ef5dece58 100644 /// See Reference / Kubernetes API / Workload Resources / Pod. #[derive(Clone, Debug, Serialize, Deserialize)] struct PodSecurityContext { -@@ -696,6 +707,16 @@ impl Container { +@@ -696,6 +707,14 @@ impl Container { commands } @@ -155,16 +158,14 @@ index 4fda02916..ef5dece58 100644 + pub fn apply_sysctls(&self, sysctls: &mut HashMap) { + if let Some(securityContext) = &self.securityContext { + if let Some(container_sysctls) = &securityContext.sysctls { -+ for sysctl in container_sysctls { -+ sysctls.insert(sysctl.name.clone(), sysctl.value.clone()); -+ } ++ sysctls.extend(container_sysctls.iter().map(|el| (el.name.clone(), el.value.clone()))); + } + } + } } impl EnvFromSource { -@@ -996,6 +1017,7 @@ pub async fn add_pause_container(containers: &mut Vec, config: &Confi +@@ -996,6 +1015,7 @@ pub async fn add_pause_container(containers: &mut Vec, config: &Confi capabilities: None, runAsUser: None, seccompProfile: None, @@ -173,7 +174,7 @@ index 4fda02916..ef5dece58 100644 ..Default::default() }; diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs -index 973643e1f..fb1e92388 100644 +index 973643e1f..adbdf97f3 100644 --- a/src/tools/genpolicy/src/policy.rs +++ b/src/tools/genpolicy/src/policy.rs @@ -27,6 +27,7 @@ use serde_yaml::Value; @@ -205,18 +206,16 @@ index 973643e1f..fb1e92388 100644 } /// OCI container LinuxNamespace struct. This struct is similar to the LinuxNamespace -@@ -616,6 +623,11 @@ impl AgentPolicy { +@@ -616,6 +623,9 @@ impl AgentPolicy { linux.Devices.push(default_device.clone()) } -+ for (k, v) in &c_settings.Linux.Sysctl { -+ linux.Sysctl.insert(k.clone(), v.clone()); -+ } ++ linux.Sysctl.extend(c_settings.Linux.Sysctl.clone()); + yaml_container.apply_sysctls(&mut linux.Sysctl); + ContainerPolicy { OCI: KataSpec { Version: self.config.settings.kata_config.oci_version.clone(), -- -2.45.2 +2.46.0 diff --git a/packages/by-name/kata/kata-runtime/0008-genpolicy-read-bundle-id-from-rootfs.patch b/packages/by-name/kata/kata-runtime/0008-genpolicy-read-bundle-id-from-rootfs.patch index 6e57c2fed..d186692eb 100644 --- a/packages/by-name/kata/kata-runtime/0008-genpolicy-read-bundle-id-from-rootfs.patch +++ b/packages/by-name/kata/kata-runtime/0008-genpolicy-read-bundle-id-from-rootfs.patch @@ -1,8 +1,13 @@ -From 793527d84d379f9a7d84499f769cc6e74ed5bb6c Mon Sep 17 00:00:00 2001 +From de0458b25d94625aa9429b9dc73609be49ae477c Mon Sep 17 00:00:00 2001 From: Markus Rudy Date: Wed, 24 Jul 2024 09:51:57 +0200 Subject: [PATCH 08/13] genpolicy: read bundle-id from rootfs +The host path of bundles is not portable and could be literally anything +depending on containerd configuration, so we can't rely on a specific +prefix when deriving the bundle-id. Instead, we derive the bundle-id +from the target root path in the guest. + NOTE: fixes https://github.com/kata-containers/kata-containers/issues/10065 --- src/tools/genpolicy/rules.rego | 29 ++++++++--------------------- @@ -63,5 +68,5 @@ index 9f0355634..f9ff50e22 100644 allow_mount(p_oci, i_mount, bundle_id, sandbox_id) { print("allow_mount: i_mount =", i_mount) -- -2.45.2 +2.46.0 diff --git a/packages/by-name/kata/kata-runtime/0009-genpolicy-harden-args-and-env.patch b/packages/by-name/kata/kata-runtime/0009-genpolicy-harden-args-and-env.patch index 81abf9e6c..52d23cc0c 100644 --- a/packages/by-name/kata/kata-runtime/0009-genpolicy-harden-args-and-env.patch +++ b/packages/by-name/kata/kata-runtime/0009-genpolicy-harden-args-and-env.patch @@ -1,10 +1,15 @@ -From 169ef67c287cb5b6bf71918da8800e88c4fa4873 Mon Sep 17 00:00:00 2001 +From f9a94397703b1e6504052c5b2cce84f40dc98da2 Mon Sep 17 00:00:00 2001 From: Markus Rudy Date: Fri, 2 Aug 2024 15:37:38 +0200 Subject: [PATCH 09/13] genpolicy: harden args and env -NOTE: This fixes an unpublished issue with env and path from downward -API. +Some downward API values can't be checked against reference values: +* Node name +* Pod name (in the case of controllers) +* UIDs + +This commit adds basic sanity checks for these values to make use in +environment variables more safe (e.g. against command injection). --- src/tools/genpolicy/rules.rego | 22 +- src/tools/genpolicy/tests/main.rs | 7 +- @@ -954,5 +959,5 @@ index 000000000..4ca01fb34 + } +] -- -2.45.2 +2.46.0 diff --git a/packages/by-name/kata/kata-runtime/0010-genpolicy-regex-check-contrast-specific-layer-src-pr.patch b/packages/by-name/kata/kata-runtime/0010-genpolicy-regex-check-contrast-specific-layer-src-pr.patch index 8f1644933..5f668bcba 100644 --- a/packages/by-name/kata/kata-runtime/0010-genpolicy-regex-check-contrast-specific-layer-src-pr.patch +++ b/packages/by-name/kata/kata-runtime/0010-genpolicy-regex-check-contrast-specific-layer-src-pr.patch @@ -1,4 +1,4 @@ -From 9081fb86ae71d75da3be4f9457897ea70ac89bdd Mon Sep 17 00:00:00 2001 +From 0be96f1d5e1102496c53ef48c09e52a42d67f627 Mon Sep 17 00:00:00 2001 From: Paul Meyer <49727155+katexochen@users.noreply.github.com> Date: Thu, 11 Jul 2024 12:05:00 +0200 Subject: [PATCH 10/13] genpolicy: regex check contrast specific @@ -23,5 +23,5 @@ index d8a37124e..b64ff7b3b 100644 print("allow_storage_options 2: i_storage.options[i_count - 2] =", i_storage.options[i_count - 2]) i_storage.options[i_count - 2] == "io.katacontainers.fs-opt.overlay-rw" -- -2.45.2 +2.46.0 diff --git a/packages/by-name/kata/kata-runtime/0011-genpolicy-settings-bump-OCI-version.patch b/packages/by-name/kata/kata-runtime/0011-genpolicy-settings-bump-OCI-version.patch index 0df10e81d..224c3f7c7 100644 --- a/packages/by-name/kata/kata-runtime/0011-genpolicy-settings-bump-OCI-version.patch +++ b/packages/by-name/kata/kata-runtime/0011-genpolicy-settings-bump-OCI-version.patch @@ -1,9 +1,9 @@ -From 1f20c78a5b1cef2cff4e0c8a64437c1297d28faa Mon Sep 17 00:00:00 2001 +From 74a899fedd43135130136a3a1abe950bd8c7426a Mon Sep 17 00:00:00 2001 From: Markus Rudy Date: Wed, 24 Jul 2024 11:16:37 +0200 Subject: [PATCH 11/13] genpolicy-settings: bump OCI version -NOTE: Kata hard-codes OCI version 1.1.0, but latest K3S has 1.2.0. +Kata hard-codes OCI version 1.1.0, but latest K3S has 1.2.0. --- src/tools/genpolicy/genpolicy-settings.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) @@ -29,5 +29,5 @@ index e50d5e545..fcafa46cc 100644 \ No newline at end of file +} -- -2.45.2 +2.46.0 diff --git a/packages/by-name/kata/kata-runtime/0012-genpolicy-settings-change-cpath-for-Nydus-guest-pull.patch b/packages/by-name/kata/kata-runtime/0012-genpolicy-settings-change-cpath-for-Nydus-guest-pull.patch index 7a27c60bf..c67ddee4c 100644 --- a/packages/by-name/kata/kata-runtime/0012-genpolicy-settings-change-cpath-for-Nydus-guest-pull.patch +++ b/packages/by-name/kata/kata-runtime/0012-genpolicy-settings-change-cpath-for-Nydus-guest-pull.patch @@ -1,9 +1,9 @@ -From 4fd2477cb681a43cce2153aa7861125f44103dc3 Mon Sep 17 00:00:00 2001 +From f2d00f6bcd6e4b6546a51ec60c5643a27c4df4e8 Mon Sep 17 00:00:00 2001 From: Markus Rudy Date: Mon, 12 Aug 2024 14:18:43 +0200 Subject: [PATCH 12/13] genpolicy-settings: change cpath for Nydus guest pull -NOTE: Nydus uses a different base dir for container rootfs, see +Nydus uses a different base dir for container rootfs, see https://github.com/kata-containers/kata-containers/blob/775f6bd/tests/integration/kubernetes/tests_common.sh#L139 --- src/tools/genpolicy/genpolicy-settings.json | 2 +- @@ -23,5 +23,5 @@ index fcafa46cc..4e9f6481d 100644 "sfprefix": "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-", "ip_p": "[0-9]{1,5}", -- -2.45.2 +2.46.0 diff --git a/packages/by-name/kata/kata-runtime/0013-genpolicy-allow-image_guest_pull.patch b/packages/by-name/kata/kata-runtime/0013-genpolicy-allow-image_guest_pull.patch index 5d731a1d0..1bef2fb47 100644 --- a/packages/by-name/kata/kata-runtime/0013-genpolicy-allow-image_guest_pull.patch +++ b/packages/by-name/kata/kata-runtime/0013-genpolicy-allow-image_guest_pull.patch @@ -1,22 +1,45 @@ -From c6e89d11f39dd83e183375f66cb48791d8d03b8f Mon Sep 17 00:00:00 2001 +From 5dc1720bdf0951a7099f1e980df1fa80cf4e7f38 Mon Sep 17 00:00:00 2001 From: Markus Rudy Date: Thu, 1 Aug 2024 15:58:42 +0200 Subject: [PATCH 13/13] genpolicy: allow image_guest_pull -NOTE: This implements ideas from -https://github.com/kata-containers/kata-containers/issues/10088. +This adds an alternative version of allow_storages that checks Nydus +guest pull instructions. The image reference is present in two +locations, but currently only read from the driver options. However, to +be safe against future changes in image-rs, we check both references +against the policy digest. + +Since containerd removes the image tag if the reference has a digest, we +cannot compare the strings byte for byte. Instead, we only compare the +digest parts, which are considered sufficient to identify an image. An +image reference without a digest cannot be meaningfully checked, so we +don't even bother handling that case. --- - src/tools/genpolicy/rules.rego | 82 +- + src/tools/genpolicy/genpolicy-settings.json | 2 +- + src/tools/genpolicy/rules.rego | 116 +- src/tools/genpolicy/src/policy.rs | 4 + src/tools/genpolicy/tests/main.rs | 5 + .../createcontainer/guest_pull/pod.yaml | 11 + - .../createcontainer/guest_pull/testcases.json | 1217 +++++++++++++++++ - 5 files changed, 1301 insertions(+), 18 deletions(-) + .../createcontainer/guest_pull/testcases.json | 2027 +++++++++++++++++ + 6 files changed, 2146 insertions(+), 19 deletions(-) create mode 100644 src/tools/genpolicy/tests/testdata/createcontainer/guest_pull/pod.yaml create mode 100644 src/tools/genpolicy/tests/testdata/createcontainer/guest_pull/testcases.json +diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json +index 4e9f6481d..e3b36a655 100644 +--- a/src/tools/genpolicy/genpolicy-settings.json ++++ b/src/tools/genpolicy/genpolicy-settings.json +@@ -148,7 +148,7 @@ + "emptyDir": { + "mount_type": "local", + "mount_source": "^$(cpath)/$(sandbox-id)/rootfs/local/", +- "mount_point": "^$(cpath)/$(sandbox-id)/local/", ++ "mount_point": "^$(cpath)/$(sandbox-id)/rootfs/local/", + "driver": "local", + "source": "local", + "fstype": "local", diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego -index b64ff7b3b..f84e0097a 100644 +index b64ff7b3b..fac040565 100644 --- a/src/tools/genpolicy/rules.rego +++ b/src/tools/genpolicy/rules.rego @@ -80,7 +80,7 @@ CreateContainerRequest { @@ -109,7 +132,7 @@ index b64ff7b3b..f84e0097a 100644 print("allow_by_bundle_or_sandbox_id: true") } -@@ -824,30 +825,75 @@ mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) { +@@ -824,30 +825,109 @@ mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) { ###################################################################### # Create container Storages @@ -119,7 +142,9 @@ index b64ff7b3b..f84e0097a 100644 + print("allow_storages 1: start") + i_count := count(i_storages) + print("allow_storages 1: i_count =", i_count) -+ i_count == 1 ++ i_count >= 1 ++ ++ # First storage: image guest pull + + i_storage := i_storages[0] + i_storage.driver == "image_guest_pull" @@ -140,23 +165,55 @@ index b64ff7b3b..f84e0097a 100644 + + allow_guest_pull(p_container.image, i_storage.source, i_driver_options) + ++ # Other storages: local mounts ++ ++ every i_storage in array.slice(i_storages, 1, count(i_storages)) { ++ some p_storage in p_container.storages ++ some allowed_driver in ["local", "ephemeral"] ++ p_storage.driver == allowed_driver ++ p_storage.options == i_storage.options ++ ++ mount1 := p_storage.mount_point ++ mount2 := replace(mount1, "$(cpath)", policy_data.common.mount_source_cpath) ++ mount3 := replace(mount2, "$(sandbox-id)", sandbox_id) ++ print("allow_mount_point 3: mount3 =", mount3, "i_storage.mount_point =", i_storage.mount_point) ++ regex.match(mount3, i_storage.mount_point) ++ } ++ + print("allow_storages 1: true") +} + +allow_guest_pull(p_container_image, i_storage_source, i_driver_options) { -+ # pause container ++ print("allow_guest_pull 1: start") ++ # pause container is only allowed in the sandbox container. ++ i_driver_options.metadata["io.kubernetes.cri.container-type"] == "sandbox" + i_storage_source == "pause" + not i_driver_options.metadata["io.kubernetes.cri.image-name"] + print("allow_guest_pull 1: true") +} + +allow_guest_pull(p_container_image, i_storage_source, i_driver_options) { -+ # other containers -+ i_storage_source == p_container_image -+ i_driver_options.metadata["io.kubernetes.cri.image-name"] == p_container_image ++ print("allow_guest_pull 2: start") ++ # Non-sandbox container images are compared against reference values. ++ i_driver_options.metadata["io.kubernetes.cri.container-type"] == "container" ++ is_same_image(i_storage_source, p_container_image) ++ is_same_image(i_driver_options.metadata["io.kubernetes.cri.image-name"], p_container_image) + print("allow_guest_pull 2: true") +} + ++is_same_image(a, b) { ++ # Images are the same if their digests are the same. ++ digest_re = "^[^@]+(@.+)?$" ++ ++ print("is_same_image: a =", a, "b =", b) ++ ++ a_match := regex.find_all_string_submatch_n(digest_re, a, 1) ++ b_match := regex.find_all_string_submatch_n(digest_re, b, 1) ++ a_match[0][1] == b_match[0][1] ++ ++ print("is_same_image: true") ++} ++ +# Allow tardev-snapshotter storage +allow_storages(p_container, i_storages, bundle_id, sandbox_id) { + p_storages := p_container.storages @@ -192,7 +249,7 @@ index b64ff7b3b..f84e0097a 100644 allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hashes) { diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs -index fb1e92388..2416832c3 100644 +index adbdf97f3..c4dc4ac3c 100644 --- a/src/tools/genpolicy/src/policy.rs +++ b/src/tools/genpolicy/src/policy.rs @@ -270,6 +270,9 @@ pub struct ContainerPolicy { @@ -205,7 +262,7 @@ index fb1e92388..2416832c3 100644 /// Data compared with req.storages for CreateContainerRequest calls. storages: Vec, -@@ -638,6 +641,7 @@ impl AgentPolicy { +@@ -636,6 +639,7 @@ impl AgentPolicy { Annotations: annotations, Linux: linux, }, @@ -245,10 +302,10 @@ index 000000000..203af19a6 + privileged: true diff --git a/src/tools/genpolicy/tests/testdata/createcontainer/guest_pull/testcases.json b/src/tools/genpolicy/tests/testdata/createcontainer/guest_pull/testcases.json new file mode 100644 -index 000000000..f625d4218 +index 000000000..2f21e0674 --- /dev/null +++ b/src/tools/genpolicy/tests/testdata/createcontainer/guest_pull/testcases.json -@@ -0,0 +1,1217 @@ +@@ -0,0 +1,2027 @@ +[ + { + "description": "expected main container", @@ -656,8 +713,8 @@ index 000000000..f625d4218 + } + }, + { -+ "description": "unexpected image in source", -+ "allowed": false, ++ "description": "expected main container without tag", ++ "allowed": true, + "request": { + "container_id": "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", + "exec_id": "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", @@ -667,9 +724,9 @@ index 000000000..f625d4218 + { + "driver": "image_guest_pull", + "driver_options": [ -+ "image_guest_pull={\"metadata\":{\"io.katacontainers.pkg.oci.bundle_path\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef\",\"io.katacontainers.pkg.oci.container_type\":\"pod_container\",\"io.kubernetes.cri.container-name\":\"reader\",\"io.kubernetes.cri.container-type\":\"container\",\"io.kubernetes.cri.image-name\":\"registry.k8s.io/pause:3.6@sha256:3d380ca8864549e74af4b29c10f9cb0956236dfb01c40ca076fb6c37253234db\",\"io.kubernetes.cri.sandbox-id\":\"0000000000000000000000000000000000000000000000000000000000000001\",\"io.kubernetes.cri.sandbox-name\":\"dummy\",\"io.kubernetes.cri.sandbox-namespace\":\"default\",\"io.kubernetes.cri.sandbox-uid\":\"409eab9f-b794-48b6-9424-ae53bc5d65ba\"}}" ++ "image_guest_pull={\"metadata\":{\"io.katacontainers.pkg.oci.bundle_path\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef\",\"io.katacontainers.pkg.oci.container_type\":\"pod_container\",\"io.kubernetes.cri.container-name\":\"reader\",\"io.kubernetes.cri.container-type\":\"container\",\"io.kubernetes.cri.image-name\":\"registry.k8s.io/pause@sha256:3d380ca8864549e74af4b29c10f9cb0956236dfb01c40ca076fb6c37253234db\",\"io.kubernetes.cri.sandbox-id\":\"0000000000000000000000000000000000000000000000000000000000000001\",\"io.kubernetes.cri.sandbox-name\":\"dummy\",\"io.kubernetes.cri.sandbox-namespace\":\"default\",\"io.kubernetes.cri.sandbox-uid\":\"409eab9f-b794-48b6-9424-ae53bc5d65ba\"}}" + ], -+ "source": "registry.k8s.io/pause:3.6@sha256:0badf00d0badf00d0badf00d0badf00d0badf00d0badf00d0badf00d0badf00d", ++ "source": "registry.k8s.io/pause@sha256:3d380ca8864549e74af4b29c10f9cb0956236dfb01c40ca076fb6c37253234db", + "fstype": "overlay", + "options": [], + "mount_point": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef/rootfs", @@ -1061,7 +1118,7 @@ index 000000000..f625d4218 + } + }, + { -+ "description": "unexpected image in driver_options", ++ "description": "unexpected image in source", + "allowed": false, + "request": { + "container_id": "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", @@ -1072,9 +1129,819 @@ index 000000000..f625d4218 + { + "driver": "image_guest_pull", + "driver_options": [ -+ "image_guest_pull={\"metadata\":{\"io.katacontainers.pkg.oci.bundle_path\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef\",\"io.katacontainers.pkg.oci.container_type\":\"pod_container\",\"io.kubernetes.cri.container-name\":\"reader\",\"io.kubernetes.cri.container-type\":\"container\",\"io.kubernetes.cri.image-name\":\"registry.k8s.io/pause:3.6@sha256:0badf00d0badf00d0badf00d0badf00d0badf00d0badf00d0badf00d0badf00d\",\"io.kubernetes.cri.sandbox-id\":\"0000000000000000000000000000000000000000000000000000000000000001\",\"io.kubernetes.cri.sandbox-name\":\"dummy\",\"io.kubernetes.cri.sandbox-namespace\":\"default\",\"io.kubernetes.cri.sandbox-uid\":\"409eab9f-b794-48b6-9424-ae53bc5d65ba\"}}" ++ "image_guest_pull={\"metadata\":{\"io.katacontainers.pkg.oci.bundle_path\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef\",\"io.katacontainers.pkg.oci.container_type\":\"pod_container\",\"io.kubernetes.cri.container-name\":\"reader\",\"io.kubernetes.cri.container-type\":\"container\",\"io.kubernetes.cri.image-name\":\"registry.k8s.io/pause:3.6@sha256:3d380ca8864549e74af4b29c10f9cb0956236dfb01c40ca076fb6c37253234db\",\"io.kubernetes.cri.sandbox-id\":\"0000000000000000000000000000000000000000000000000000000000000001\",\"io.kubernetes.cri.sandbox-name\":\"dummy\",\"io.kubernetes.cri.sandbox-namespace\":\"default\",\"io.kubernetes.cri.sandbox-uid\":\"409eab9f-b794-48b6-9424-ae53bc5d65ba\"}}" + ], -+ "source": "registry.k8s.io/pause:3.6@sha256:3d380ca8864549e74af4b29c10f9cb0956236dfb01c40ca076fb6c37253234db", ++ "source": "registry.k8s.io/pause:3.6@sha256:0badf00d0badf00d0badf00d0badf00d0badf00d0badf00d0badf00d0badf00d", ++ "fstype": "overlay", ++ "options": [], ++ "mount_point": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef/rootfs", ++ "fs_group": null ++ } ++ ], ++ "OCI": { ++ "Version": "1.1.0", ++ "Process": { ++ "Terminal": false, ++ "ConsoleSize": null, ++ "User": { ++ "UID": 0, ++ "GID": 0, ++ "AdditionalGids": [ ++ 0, ++ 1, ++ 2, ++ 3, ++ 4, ++ 6, ++ 10, ++ 11, ++ 20, ++ 26, ++ 27 ++ ], ++ "Username": "" ++ }, ++ "Args": [ ++ "/pause" ++ ], ++ "Env": [ ++ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", ++ "HOSTNAME=dummy", ++ "KUBERNETES_PORT_443_TCP_PROTO=tcp", ++ "KUBERNETES_PORT_443_TCP_PORT=443", ++ "KUBERNETES_PORT_443_TCP_ADDR=10.43.0.1", ++ "KUBERNETES_SERVICE_HOST=10.43.0.1", ++ "KUBERNETES_SERVICE_PORT=443", ++ "KUBERNETES_SERVICE_PORT_HTTPS=443", ++ "KUBERNETES_PORT=tcp://10.43.0.1:443", ++ "KUBERNETES_PORT_443_TCP=tcp://10.43.0.1:443" ++ ], ++ "Cwd": "/", ++ "Capabilities": { ++ "Bounding": [ ++ "CAP_CHOWN", ++ "CAP_DAC_OVERRIDE", ++ "CAP_DAC_READ_SEARCH", ++ "CAP_FOWNER", ++ "CAP_FSETID", ++ "CAP_KILL", ++ "CAP_SETGID", ++ "CAP_SETUID", ++ "CAP_SETPCAP", ++ "CAP_LINUX_IMMUTABLE", ++ "CAP_NET_BIND_SERVICE", ++ "CAP_NET_BROADCAST", ++ "CAP_NET_ADMIN", ++ "CAP_NET_RAW", ++ "CAP_IPC_LOCK", ++ "CAP_IPC_OWNER", ++ "CAP_SYS_MODULE", ++ "CAP_SYS_RAWIO", ++ "CAP_SYS_CHROOT", ++ "CAP_SYS_PTRACE", ++ "CAP_SYS_PACCT", ++ "CAP_SYS_ADMIN", ++ "CAP_SYS_BOOT", ++ "CAP_SYS_NICE", ++ "CAP_SYS_RESOURCE", ++ "CAP_SYS_TIME", ++ "CAP_SYS_TTY_CONFIG", ++ "CAP_MKNOD", ++ "CAP_LEASE", ++ "CAP_AUDIT_WRITE", ++ "CAP_AUDIT_CONTROL", ++ "CAP_SETFCAP", ++ "CAP_MAC_OVERRIDE", ++ "CAP_MAC_ADMIN", ++ "CAP_SYSLOG", ++ "CAP_WAKE_ALARM", ++ "CAP_BLOCK_SUSPEND", ++ "CAP_AUDIT_READ", ++ "CAP_PERFMON", ++ "CAP_BPF", ++ "CAP_CHECKPOINT_RESTORE" ++ ], ++ "Effective": [ ++ "CAP_CHOWN", ++ "CAP_DAC_OVERRIDE", ++ "CAP_DAC_READ_SEARCH", ++ "CAP_FOWNER", ++ "CAP_FSETID", ++ "CAP_KILL", ++ "CAP_SETGID", ++ "CAP_SETUID", ++ "CAP_SETPCAP", ++ "CAP_LINUX_IMMUTABLE", ++ "CAP_NET_BIND_SERVICE", ++ "CAP_NET_BROADCAST", ++ "CAP_NET_ADMIN", ++ "CAP_NET_RAW", ++ "CAP_IPC_LOCK", ++ "CAP_IPC_OWNER", ++ "CAP_SYS_MODULE", ++ "CAP_SYS_RAWIO", ++ "CAP_SYS_CHROOT", ++ "CAP_SYS_PTRACE", ++ "CAP_SYS_PACCT", ++ "CAP_SYS_ADMIN", ++ "CAP_SYS_BOOT", ++ "CAP_SYS_NICE", ++ "CAP_SYS_RESOURCE", ++ "CAP_SYS_TIME", ++ "CAP_SYS_TTY_CONFIG", ++ "CAP_MKNOD", ++ "CAP_LEASE", ++ "CAP_AUDIT_WRITE", ++ "CAP_AUDIT_CONTROL", ++ "CAP_SETFCAP", ++ "CAP_MAC_OVERRIDE", ++ "CAP_MAC_ADMIN", ++ "CAP_SYSLOG", ++ "CAP_WAKE_ALARM", ++ "CAP_BLOCK_SUSPEND", ++ "CAP_AUDIT_READ", ++ "CAP_PERFMON", ++ "CAP_BPF", ++ "CAP_CHECKPOINT_RESTORE" ++ ], ++ "Inheritable": [], ++ "Permitted": [ ++ "CAP_CHOWN", ++ "CAP_DAC_OVERRIDE", ++ "CAP_DAC_READ_SEARCH", ++ "CAP_FOWNER", ++ "CAP_FSETID", ++ "CAP_KILL", ++ "CAP_SETGID", ++ "CAP_SETUID", ++ "CAP_SETPCAP", ++ "CAP_LINUX_IMMUTABLE", ++ "CAP_NET_BIND_SERVICE", ++ "CAP_NET_BROADCAST", ++ "CAP_NET_ADMIN", ++ "CAP_NET_RAW", ++ "CAP_IPC_LOCK", ++ "CAP_IPC_OWNER", ++ "CAP_SYS_MODULE", ++ "CAP_SYS_RAWIO", ++ "CAP_SYS_CHROOT", ++ "CAP_SYS_PTRACE", ++ "CAP_SYS_PACCT", ++ "CAP_SYS_ADMIN", ++ "CAP_SYS_BOOT", ++ "CAP_SYS_NICE", ++ "CAP_SYS_RESOURCE", ++ "CAP_SYS_TIME", ++ "CAP_SYS_TTY_CONFIG", ++ "CAP_MKNOD", ++ "CAP_LEASE", ++ "CAP_AUDIT_WRITE", ++ "CAP_AUDIT_CONTROL", ++ "CAP_SETFCAP", ++ "CAP_MAC_OVERRIDE", ++ "CAP_MAC_ADMIN", ++ "CAP_SYSLOG", ++ "CAP_WAKE_ALARM", ++ "CAP_BLOCK_SUSPEND", ++ "CAP_AUDIT_READ", ++ "CAP_PERFMON", ++ "CAP_BPF", ++ "CAP_CHECKPOINT_RESTORE" ++ ], ++ "Ambient": [] ++ }, ++ "Rlimits": [], ++ "NoNewPrivileges": false, ++ "ApparmorProfile": "", ++ "OOMScoreAdj": 1000, ++ "SelinuxLabel": "" ++ }, ++ "Root": { ++ "Path": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef/rootfs", ++ "Readonly": false ++ }, ++ "Hostname": "", ++ "Mounts": [ ++ { ++ "destination": "/proc", ++ "source": "proc", ++ "type_": "proc", ++ "options": [ ++ "nosuid", ++ "noexec", ++ "nodev" ++ ] ++ }, ++ { ++ "destination": "/dev", ++ "source": "tmpfs", ++ "type_": "tmpfs", ++ "options": [ ++ "nosuid", ++ "strictatime", ++ "mode=755", ++ "size=65536k" ++ ] ++ }, ++ { ++ "destination": "/dev/pts", ++ "source": "devpts", ++ "type_": "devpts", ++ "options": [ ++ "nosuid", ++ "noexec", ++ "newinstance", ++ "ptmxmode=0666", ++ "mode=0620", ++ "gid=5" ++ ] ++ }, ++ { ++ "destination": "/dev/mqueue", ++ "source": "mqueue", ++ "type_": "mqueue", ++ "options": [ ++ "nosuid", ++ "noexec", ++ "nodev" ++ ] ++ }, ++ { ++ "destination": "/sys", ++ "source": "sysfs", ++ "type_": "sysfs", ++ "options": [ ++ "nosuid", ++ "noexec", ++ "nodev", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/sys/fs/cgroup", ++ "source": "cgroup", ++ "type_": "cgroup", ++ "options": [ ++ "nosuid", ++ "noexec", ++ "nodev", ++ "relatime", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/etc/hosts", ++ "source": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef-1c1110e20d0b18aa-hosts", ++ "type_": "bind", ++ "options": [ ++ "rbind", ++ "rprivate", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/dev/termination-log", ++ "source": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef-270be95ff930824e-termination-log", ++ "type_": "bind", ++ "options": [ ++ "rbind", ++ "rprivate", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/etc/hostname", ++ "source": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef-b6820112604db404-hostname", ++ "type_": "bind", ++ "options": [ ++ "rbind", ++ "rprivate", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/etc/resolv.conf", ++ "source": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef-bee08cb8d9985c0a-resolv.conf", ++ "type_": "bind", ++ "options": [ ++ "rbind", ++ "rprivate", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/dev/shm", ++ "source": "/run/kata-containers/sandbox/shm", ++ "type_": "bind", ++ "options": [ ++ "rbind" ++ ] ++ }, ++ { ++ "destination": "/var/run/secrets/kubernetes.io/serviceaccount", ++ "source": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef-03db333c5a68a8c7-serviceaccount", ++ "type_": "bind", ++ "options": [ ++ "rbind", ++ "rprivate", ++ "ro" ++ ] ++ } ++ ], ++ "Hooks": null, ++ "Annotations": { ++ "io.katacontainers.pkg.oci.container_type": "pod_container", ++ "io.kubernetes.cri.sandbox-uid": "409eab9f-b794-48b6-9424-ae53bc5d65ba", ++ "io.kubernetes.cri.container-type": "container", ++ "io.kubernetes.cri.container-name": "dummy-ctr", ++ "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", ++ "io.kubernetes.cri.sandbox-id": "0000000000000000000000000000000000000000000000000000000000000001", ++ "io.kubernetes.cri.sandbox-namespace": "default", ++ "io.kubernetes.cri.sandbox-name": "dummy", ++ "io.kubernetes.cri.image-name": "registry.k8s.io/pause:3.6@sha256:3d380ca8864549e74af4b29c10f9cb0956236dfb01c40ca076fb6c37253234db" ++ }, ++ "Linux": { ++ "UIDMappings": [], ++ "GIDMappings": [], ++ "Sysctl": {}, ++ "Resources": { ++ "Devices": [], ++ "Memory": { ++ "Limit": 0, ++ "Reservation": 0, ++ "Swap": 0, ++ "Kernel": 0, ++ "KernelTCP": 0, ++ "Swappiness": 0, ++ "DisableOOMKiller": false ++ }, ++ "CPU": { ++ "Shares": 2, ++ "Quota": 0, ++ "Period": 100000, ++ "RealtimeRuntime": 0, ++ "RealtimePeriod": 0, ++ "Cpus": "", ++ "Mems": "" ++ }, ++ "Pids": null, ++ "BlockIO": null, ++ "HugepageLimits": [], ++ "Network": null ++ }, ++ "CgroupsPath": "kubepods-besteffort-pod409eab9f_b794_48b6_9424_ae53bc5d65ba.slice:cri-containerd:deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", ++ "Namespaces": [ ++ { ++ "Type": "ipc", ++ "Path": "" ++ }, ++ { ++ "Type": "uts", ++ "Path": "" ++ }, ++ { ++ "Type": "mount", ++ "Path": "" ++ } ++ ], ++ "Devices": [], ++ "Seccomp": null, ++ "RootfsPropagation": "", ++ "MaskedPaths": [], ++ "ReadonlyPaths": [], ++ "MountLabel": "", ++ "IntelRdt": null ++ }, ++ "Solaris": null, ++ "Windows": null ++ }, ++ "sandbox_pidns": false, ++ "shared_mounts": [], ++ "stdin_port": 0, ++ "stdout_port": 0, ++ "stderr_port": 0 ++ } ++ }, ++ { ++ "description": "unexpected image in driver_options", ++ "allowed": false, ++ "request": { ++ "container_id": "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", ++ "exec_id": "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", ++ "string_user": null, ++ "devices": [], ++ "storages": [ ++ { ++ "driver": "image_guest_pull", ++ "driver_options": [ ++ "image_guest_pull={\"metadata\":{\"io.katacontainers.pkg.oci.bundle_path\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef\",\"io.katacontainers.pkg.oci.container_type\":\"pod_container\",\"io.kubernetes.cri.container-name\":\"reader\",\"io.kubernetes.cri.container-type\":\"container\",\"io.kubernetes.cri.image-name\":\"registry.k8s.io/pause:3.6@sha256:0badf00d0badf00d0badf00d0badf00d0badf00d0badf00d0badf00d0badf00d\",\"io.kubernetes.cri.sandbox-id\":\"0000000000000000000000000000000000000000000000000000000000000001\",\"io.kubernetes.cri.sandbox-name\":\"dummy\",\"io.kubernetes.cri.sandbox-namespace\":\"default\",\"io.kubernetes.cri.sandbox-uid\":\"409eab9f-b794-48b6-9424-ae53bc5d65ba\"}}" ++ ], ++ "source": "registry.k8s.io/pause:3.6@sha256:3d380ca8864549e74af4b29c10f9cb0956236dfb01c40ca076fb6c37253234db", ++ "fstype": "overlay", ++ "options": [], ++ "mount_point": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef/rootfs", ++ "fs_group": null ++ } ++ ], ++ "OCI": { ++ "Version": "1.1.0", ++ "Process": { ++ "Terminal": false, ++ "ConsoleSize": null, ++ "User": { ++ "UID": 0, ++ "GID": 0, ++ "AdditionalGids": [ ++ 0, ++ 1, ++ 2, ++ 3, ++ 4, ++ 6, ++ 10, ++ 11, ++ 20, ++ 26, ++ 27 ++ ], ++ "Username": "" ++ }, ++ "Args": [ ++ "/pause" ++ ], ++ "Env": [ ++ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", ++ "HOSTNAME=dummy", ++ "KUBERNETES_PORT_443_TCP_PROTO=tcp", ++ "KUBERNETES_PORT_443_TCP_PORT=443", ++ "KUBERNETES_PORT_443_TCP_ADDR=10.43.0.1", ++ "KUBERNETES_SERVICE_HOST=10.43.0.1", ++ "KUBERNETES_SERVICE_PORT=443", ++ "KUBERNETES_SERVICE_PORT_HTTPS=443", ++ "KUBERNETES_PORT=tcp://10.43.0.1:443", ++ "KUBERNETES_PORT_443_TCP=tcp://10.43.0.1:443" ++ ], ++ "Cwd": "/", ++ "Capabilities": { ++ "Bounding": [ ++ "CAP_CHOWN", ++ "CAP_DAC_OVERRIDE", ++ "CAP_DAC_READ_SEARCH", ++ "CAP_FOWNER", ++ "CAP_FSETID", ++ "CAP_KILL", ++ "CAP_SETGID", ++ "CAP_SETUID", ++ "CAP_SETPCAP", ++ "CAP_LINUX_IMMUTABLE", ++ "CAP_NET_BIND_SERVICE", ++ "CAP_NET_BROADCAST", ++ "CAP_NET_ADMIN", ++ "CAP_NET_RAW", ++ "CAP_IPC_LOCK", ++ "CAP_IPC_OWNER", ++ "CAP_SYS_MODULE", ++ "CAP_SYS_RAWIO", ++ "CAP_SYS_CHROOT", ++ "CAP_SYS_PTRACE", ++ "CAP_SYS_PACCT", ++ "CAP_SYS_ADMIN", ++ "CAP_SYS_BOOT", ++ "CAP_SYS_NICE", ++ "CAP_SYS_RESOURCE", ++ "CAP_SYS_TIME", ++ "CAP_SYS_TTY_CONFIG", ++ "CAP_MKNOD", ++ "CAP_LEASE", ++ "CAP_AUDIT_WRITE", ++ "CAP_AUDIT_CONTROL", ++ "CAP_SETFCAP", ++ "CAP_MAC_OVERRIDE", ++ "CAP_MAC_ADMIN", ++ "CAP_SYSLOG", ++ "CAP_WAKE_ALARM", ++ "CAP_BLOCK_SUSPEND", ++ "CAP_AUDIT_READ", ++ "CAP_PERFMON", ++ "CAP_BPF", ++ "CAP_CHECKPOINT_RESTORE" ++ ], ++ "Effective": [ ++ "CAP_CHOWN", ++ "CAP_DAC_OVERRIDE", ++ "CAP_DAC_READ_SEARCH", ++ "CAP_FOWNER", ++ "CAP_FSETID", ++ "CAP_KILL", ++ "CAP_SETGID", ++ "CAP_SETUID", ++ "CAP_SETPCAP", ++ "CAP_LINUX_IMMUTABLE", ++ "CAP_NET_BIND_SERVICE", ++ "CAP_NET_BROADCAST", ++ "CAP_NET_ADMIN", ++ "CAP_NET_RAW", ++ "CAP_IPC_LOCK", ++ "CAP_IPC_OWNER", ++ "CAP_SYS_MODULE", ++ "CAP_SYS_RAWIO", ++ "CAP_SYS_CHROOT", ++ "CAP_SYS_PTRACE", ++ "CAP_SYS_PACCT", ++ "CAP_SYS_ADMIN", ++ "CAP_SYS_BOOT", ++ "CAP_SYS_NICE", ++ "CAP_SYS_RESOURCE", ++ "CAP_SYS_TIME", ++ "CAP_SYS_TTY_CONFIG", ++ "CAP_MKNOD", ++ "CAP_LEASE", ++ "CAP_AUDIT_WRITE", ++ "CAP_AUDIT_CONTROL", ++ "CAP_SETFCAP", ++ "CAP_MAC_OVERRIDE", ++ "CAP_MAC_ADMIN", ++ "CAP_SYSLOG", ++ "CAP_WAKE_ALARM", ++ "CAP_BLOCK_SUSPEND", ++ "CAP_AUDIT_READ", ++ "CAP_PERFMON", ++ "CAP_BPF", ++ "CAP_CHECKPOINT_RESTORE" ++ ], ++ "Inheritable": [], ++ "Permitted": [ ++ "CAP_CHOWN", ++ "CAP_DAC_OVERRIDE", ++ "CAP_DAC_READ_SEARCH", ++ "CAP_FOWNER", ++ "CAP_FSETID", ++ "CAP_KILL", ++ "CAP_SETGID", ++ "CAP_SETUID", ++ "CAP_SETPCAP", ++ "CAP_LINUX_IMMUTABLE", ++ "CAP_NET_BIND_SERVICE", ++ "CAP_NET_BROADCAST", ++ "CAP_NET_ADMIN", ++ "CAP_NET_RAW", ++ "CAP_IPC_LOCK", ++ "CAP_IPC_OWNER", ++ "CAP_SYS_MODULE", ++ "CAP_SYS_RAWIO", ++ "CAP_SYS_CHROOT", ++ "CAP_SYS_PTRACE", ++ "CAP_SYS_PACCT", ++ "CAP_SYS_ADMIN", ++ "CAP_SYS_BOOT", ++ "CAP_SYS_NICE", ++ "CAP_SYS_RESOURCE", ++ "CAP_SYS_TIME", ++ "CAP_SYS_TTY_CONFIG", ++ "CAP_MKNOD", ++ "CAP_LEASE", ++ "CAP_AUDIT_WRITE", ++ "CAP_AUDIT_CONTROL", ++ "CAP_SETFCAP", ++ "CAP_MAC_OVERRIDE", ++ "CAP_MAC_ADMIN", ++ "CAP_SYSLOG", ++ "CAP_WAKE_ALARM", ++ "CAP_BLOCK_SUSPEND", ++ "CAP_AUDIT_READ", ++ "CAP_PERFMON", ++ "CAP_BPF", ++ "CAP_CHECKPOINT_RESTORE" ++ ], ++ "Ambient": [] ++ }, ++ "Rlimits": [], ++ "NoNewPrivileges": false, ++ "ApparmorProfile": "", ++ "OOMScoreAdj": 1000, ++ "SelinuxLabel": "" ++ }, ++ "Root": { ++ "Path": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef/rootfs", ++ "Readonly": false ++ }, ++ "Hostname": "", ++ "Mounts": [ ++ { ++ "destination": "/proc", ++ "source": "proc", ++ "type_": "proc", ++ "options": [ ++ "nosuid", ++ "noexec", ++ "nodev" ++ ] ++ }, ++ { ++ "destination": "/dev", ++ "source": "tmpfs", ++ "type_": "tmpfs", ++ "options": [ ++ "nosuid", ++ "strictatime", ++ "mode=755", ++ "size=65536k" ++ ] ++ }, ++ { ++ "destination": "/dev/pts", ++ "source": "devpts", ++ "type_": "devpts", ++ "options": [ ++ "nosuid", ++ "noexec", ++ "newinstance", ++ "ptmxmode=0666", ++ "mode=0620", ++ "gid=5" ++ ] ++ }, ++ { ++ "destination": "/dev/mqueue", ++ "source": "mqueue", ++ "type_": "mqueue", ++ "options": [ ++ "nosuid", ++ "noexec", ++ "nodev" ++ ] ++ }, ++ { ++ "destination": "/sys", ++ "source": "sysfs", ++ "type_": "sysfs", ++ "options": [ ++ "nosuid", ++ "noexec", ++ "nodev", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/sys/fs/cgroup", ++ "source": "cgroup", ++ "type_": "cgroup", ++ "options": [ ++ "nosuid", ++ "noexec", ++ "nodev", ++ "relatime", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/etc/hosts", ++ "source": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef-1c1110e20d0b18aa-hosts", ++ "type_": "bind", ++ "options": [ ++ "rbind", ++ "rprivate", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/dev/termination-log", ++ "source": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef-270be95ff930824e-termination-log", ++ "type_": "bind", ++ "options": [ ++ "rbind", ++ "rprivate", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/etc/hostname", ++ "source": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef-b6820112604db404-hostname", ++ "type_": "bind", ++ "options": [ ++ "rbind", ++ "rprivate", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/etc/resolv.conf", ++ "source": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef-bee08cb8d9985c0a-resolv.conf", ++ "type_": "bind", ++ "options": [ ++ "rbind", ++ "rprivate", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/dev/shm", ++ "source": "/run/kata-containers/sandbox/shm", ++ "type_": "bind", ++ "options": [ ++ "rbind" ++ ] ++ }, ++ { ++ "destination": "/var/run/secrets/kubernetes.io/serviceaccount", ++ "source": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef-03db333c5a68a8c7-serviceaccount", ++ "type_": "bind", ++ "options": [ ++ "rbind", ++ "rprivate", ++ "ro" ++ ] ++ } ++ ], ++ "Hooks": null, ++ "Annotations": { ++ "io.katacontainers.pkg.oci.container_type": "pod_container", ++ "io.kubernetes.cri.sandbox-uid": "409eab9f-b794-48b6-9424-ae53bc5d65ba", ++ "io.kubernetes.cri.container-type": "container", ++ "io.kubernetes.cri.container-name": "dummy-ctr", ++ "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", ++ "io.kubernetes.cri.sandbox-id": "0000000000000000000000000000000000000000000000000000000000000001", ++ "io.kubernetes.cri.sandbox-namespace": "default", ++ "io.kubernetes.cri.sandbox-name": "dummy", ++ "io.kubernetes.cri.image-name": "registry.k8s.io/pause:3.6@sha256:3d380ca8864549e74af4b29c10f9cb0956236dfb01c40ca076fb6c37253234db" ++ }, ++ "Linux": { ++ "UIDMappings": [], ++ "GIDMappings": [], ++ "Sysctl": {}, ++ "Resources": { ++ "Devices": [], ++ "Memory": { ++ "Limit": 0, ++ "Reservation": 0, ++ "Swap": 0, ++ "Kernel": 0, ++ "KernelTCP": 0, ++ "Swappiness": 0, ++ "DisableOOMKiller": false ++ }, ++ "CPU": { ++ "Shares": 2, ++ "Quota": 0, ++ "Period": 100000, ++ "RealtimeRuntime": 0, ++ "RealtimePeriod": 0, ++ "Cpus": "", ++ "Mems": "" ++ }, ++ "Pids": null, ++ "BlockIO": null, ++ "HugepageLimits": [], ++ "Network": null ++ }, ++ "CgroupsPath": "kubepods-besteffort-pod409eab9f_b794_48b6_9424_ae53bc5d65ba.slice:cri-containerd:deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", ++ "Namespaces": [ ++ { ++ "Type": "ipc", ++ "Path": "" ++ }, ++ { ++ "Type": "uts", ++ "Path": "" ++ }, ++ { ++ "Type": "mount", ++ "Path": "" ++ } ++ ], ++ "Devices": [], ++ "Seccomp": null, ++ "RootfsPropagation": "", ++ "MaskedPaths": [], ++ "ReadonlyPaths": [], ++ "MountLabel": "", ++ "IntelRdt": null ++ }, ++ "Solaris": null, ++ "Windows": null ++ }, ++ "sandbox_pidns": false, ++ "shared_mounts": [], ++ "stdin_port": 0, ++ "stdout_port": 0, ++ "stderr_port": 0 ++ } ++ }, ++ { ++ "description": "image without digest", ++ "allowed": false, ++ "request": { ++ "container_id": "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", ++ "exec_id": "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", ++ "string_user": null, ++ "devices": [], ++ "storages": [ ++ { ++ "driver": "image_guest_pull", ++ "driver_options": [ ++ "image_guest_pull={\"metadata\":{\"io.katacontainers.pkg.oci.bundle_path\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef\",\"io.katacontainers.pkg.oci.container_type\":\"pod_container\",\"io.kubernetes.cri.container-name\":\"reader\",\"io.kubernetes.cri.container-type\":\"container\",\"io.kubernetes.cri.image-name\":\"registry.k8s.io/pause:3.6\",\"io.kubernetes.cri.sandbox-id\":\"0000000000000000000000000000000000000000000000000000000000000001\",\"io.kubernetes.cri.sandbox-name\":\"dummy\",\"io.kubernetes.cri.sandbox-namespace\":\"default\",\"io.kubernetes.cri.sandbox-uid\":\"409eab9f-b794-48b6-9424-ae53bc5d65ba\"}}" ++ ], ++ "source": "registry.k8s.io/pause:3.6", + "fstype": "overlay", + "options": [], + "mount_point": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef/rootfs", @@ -1467,5 +2334,5 @@ index 000000000..f625d4218 + } +] -- -2.45.2 +2.46.0 diff --git a/packages/by-name/kata/kata-runtime/package.nix b/packages/by-name/kata/kata-runtime/package.nix index c6ce39263..53d25ce12 100644 --- a/packages/by-name/kata/kata-runtime/package.nix +++ b/packages/by-name/kata/kata-runtime/package.nix @@ -45,25 +45,35 @@ buildGoModule rec { # Patch set to enable policy support for bare metal with Nydus guest pull. # - # Corresponding upstream PR: https://github.com/kata-containers/kata-containers/pull/9911 - # Included in 3.9.0, but has an exception for cbl-mariner? + # Backport of https://github.com/kata-containers/kata-containers/pull/9911. + # TODO(burgerdev): remove after upgrading to Kata 3.9 ./0005-genpolicy-deny-UpdateEphemeralMountsRequest.patch - # Cherry-pick from https://github.com/microsoft/kata-containers/pull/139/commits/e4465090e693807d6ccc044344ad44789acda3e2 + # Cherry-pick from https://github.com/microsoft/kata-containers/pull/139/commits/e4465090e693807d6ccc044344ad44789acda3e2, + # fixes https://github.com/kata-containers/kata-containers/issues/10046. + # Currently not possible to backport because it would break integration testing with virtiofs. ./0006-genpolicy-validate-create-sandbox-storages.patch - # Upstream issue: https://github.com/kata-containers/kata-containers/issues/10064 + # Fixes https://github.com/kata-containers/kata-containers/issues/10064. + # TODO(burgerdev): backport ./0007-genpolicy-enable-sysctl-checks.patch - # Upstream issue: https://github.com/kata-containers/kata-containers/issues/10065 + # Fixes https://github.com/kata-containers/kata-containers/issues/10065. + # TODO(burgerdev): backport ./0008-genpolicy-read-bundle-id-from-rootfs.patch - # TODO(burgerdev): This fixes an unpublished issue with env and path from downward API. + # This fixes an unpublished issue with env and path from downward API. + # TODO(burgerdev): open issue and backport ./0009-genpolicy-harden-args-and-env.patch # Contrast specific layer-src-prefix, also applied to microsoft.kata-runtime. + # TODO(burgerdev): discuss relaxing the checks for host paths with Kata maintainers. ./0010-genpolicy-regex-check-contrast-specific-layer-src-pr.patch # Kata hard-codes OCI version 1.1.0, but latest K3S has 1.2.0. + # TODO(burgerdev): discuss relaxing the OCI version checks with Kata maintainers. + # TODO(burgerdev): move to genpolicy-settings patches ./0011-genpolicy-settings-bump-OCI-version.patch # Nydus uses a different base dir for container rootfs, # see https://github.com/kata-containers/kata-containers/blob/775f6bd/tests/integration/kubernetes/tests_common.sh#L139. + # TODO(burgerdev): discuss the discrepancy and path forward with Kata maintainers. ./0012-genpolicy-settings-change-cpath-for-Nydus-guest-pull.patch # Implements ideas from https://github.com/kata-containers/kata-containers/issues/10088. + # TODO(burgerdev): backport ./0013-genpolicy-allow-image_guest_pull.patch ]; };