-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
kata: format patches according to amended patch workflow
- Loading branch information
Showing
16 changed files
with
82 additions
and
82 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
From 099fd9159c03561ed738dacb370d18183f8601aa Mon Sep 17 00:00:00 2001 | ||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
From: Tom Dohrmann <[email protected]> | ||
Date: Fri, 5 Jul 2024 08:43:13 +0000 | ||
Subject: [PATCH] govmm: Directly pass the firwmare using -bios with SNP | ||
|
@@ -9,7 +9,7 @@ Subject: [PATCH] govmm: Directly pass the firwmare using -bios with SNP | |
1 file changed, 1 insertion(+), 3 deletions(-) | ||
|
||
diff --git a/src/runtime/pkg/govmm/qemu/qemu.go b/src/runtime/pkg/govmm/qemu/qemu.go | ||
index e1070b731..b3b3fb4bd 100644 | ||
index e1070b731920f00625dc58a9ce3e6b985af3a8ba..b3b3fb4bdbe99e6fc1a89db49be984b92a19551c 100644 | ||
--- a/src/runtime/pkg/govmm/qemu/qemu.go | ||
+++ b/src/runtime/pkg/govmm/qemu/qemu.go | ||
@@ -395,9 +395,7 @@ func (object Object) QemuParams(config *Config) []string { | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
From b73c887c4b00d58b1a9bf403c5b2d05b02574731 Mon Sep 17 00:00:00 2001 | ||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
From: Tom Dohrmann <[email protected]> | ||
Date: Mon, 8 Jul 2024 07:35:54 +0000 | ||
Subject: [PATCH] emulate CPU model that most closely matches the host | ||
|
@@ -12,7 +12,7 @@ attestation. | |
1 file changed, 12 insertions(+), 1 deletion(-) | ||
|
||
diff --git a/src/runtime/virtcontainers/qemu_amd64.go b/src/runtime/virtcontainers/qemu_amd64.go | ||
index 1d1be1711..6ebee26ce 100644 | ||
index 1d1be17118f397445941c50a5276fb8aec2411e3..6ebee26ce34b5137f88a78219340b1f0867bc7a8 100644 | ||
--- a/src/runtime/virtcontainers/qemu_amd64.go | ||
+++ b/src/runtime/virtcontainers/qemu_amd64.go | ||
@@ -191,7 +191,18 @@ func (q *qemuAmd64) cpuModel() string { | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
From d3bc2eb74a14272afb10d20c63e4d938538acbfe Mon Sep 17 00:00:00 2001 | ||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
From: Tom Dohrmann <[email protected]> | ||
Date: Mon, 8 Jul 2024 07:51:20 +0000 | ||
Subject: [PATCH] runtime: agent: verify the agent policy hash | ||
|
@@ -42,7 +42,7 @@ Signed-off-by: Tom Dohrmann <[email protected]> | |
create mode 100644 src/agent/src/tdx.rs | ||
|
||
diff --git a/src/agent/Cargo.lock b/src/agent/Cargo.lock | ||
index f55144570..8cf40f7ec 100644 | ||
index f5514457031ed7f0b4d1c5c6bee7ec5ec8b9ad72..8cf40f7ec7d12b6e206d49f4b6adff05d347262d 100644 | ||
--- a/src/agent/Cargo.lock | ||
+++ b/src/agent/Cargo.lock | ||
@@ -542,6 +542,12 @@ version = "0.6.3" | ||
|
@@ -238,7 +238,7 @@ index f55144570..8cf40f7ec 100644 | |
name = "vsock" | ||
version = "0.2.6" | ||
diff --git a/src/agent/Cargo.toml b/src/agent/Cargo.toml | ||
index a8ed5d081..d5b3db965 100644 | ||
index a8ed5d081cf87b19f4ce5c5bdb9cc4efa694a6e3..d5b3db965fe75cbccc182825a4115bdc57a9705b 100644 | ||
--- a/src/agent/Cargo.toml | ||
+++ b/src/agent/Cargo.toml | ||
@@ -85,6 +85,11 @@ regorus = { version = "0.1.4", default-features = false, features = [ | ||
|
@@ -263,7 +263,7 @@ index a8ed5d081..d5b3db965 100644 | |
|
||
[[bin]] | ||
diff --git a/src/agent/src/main.rs b/src/agent/src/main.rs | ||
index 8a057bb36..22d858c10 100644 | ||
index 8a057bb367537cfac988f20fda86b2e23a681682..22d858c10468478dacb7e7e9b9133a756abc1ea8 100644 | ||
--- a/src/agent/src/main.rs | ||
+++ b/src/agent/src/main.rs | ||
@@ -85,6 +85,10 @@ mod tracer; | ||
|
@@ -278,7 +278,7 @@ index 8a057bb36..22d858c10 100644 | |
cfg_if! { | ||
if #[cfg(target_arch = "s390x")] { | ||
diff --git a/src/agent/src/policy.rs b/src/agent/src/policy.rs | ||
index ccac317d0..2f1da9ecd 100644 | ||
index ccac317d0ff707c1fd1242a144886d5e8c000a90..2f1da9ecd0d0ee1be06218d5bc9e58cd93defa8c 100644 | ||
--- a/src/agent/src/policy.rs | ||
+++ b/src/agent/src/policy.rs | ||
@@ -3,11 +3,14 @@ | ||
|
@@ -351,7 +351,7 @@ index ccac317d0..2f1da9ecd 100644 | |
+} | ||
diff --git a/src/agent/src/sev.rs b/src/agent/src/sev.rs | ||
new file mode 100644 | ||
index 000000000..3257eabaf | ||
index 0000000000000000000000000000000000000000..3257eabafcc971df7219d71186383616ee19a672 | ||
--- /dev/null | ||
+++ b/src/agent/src/sev.rs | ||
@@ -0,0 +1,19 @@ | ||
|
@@ -376,7 +376,7 @@ index 000000000..3257eabaf | |
+} | ||
diff --git a/src/agent/src/tdx.rs b/src/agent/src/tdx.rs | ||
new file mode 100644 | ||
index 000000000..1531e72a8 | ||
index 0000000000000000000000000000000000000000..1531e72a8b8db6e357d02ecdd431a9b88af3b30d | ||
--- /dev/null | ||
+++ b/src/agent/src/tdx.rs | ||
@@ -0,0 +1,194 @@ | ||
|
@@ -575,7 +575,7 @@ index 000000000..1531e72a8 | |
+ Ok(mrconfigid) | ||
+} | ||
diff --git a/src/runtime/pkg/govmm/qemu/qemu.go b/src/runtime/pkg/govmm/qemu/qemu.go | ||
index b3b3fb4bd..5070ecd1e 100644 | ||
index b3b3fb4bdbe99e6fc1a89db49be984b92a19551c..5070ecd1e78ca04383637e662b3c8e4f8ec0ae5e 100644 | ||
--- a/src/runtime/pkg/govmm/qemu/qemu.go | ||
+++ b/src/runtime/pkg/govmm/qemu/qemu.go | ||
@@ -320,6 +320,11 @@ type Object struct { | ||
|
@@ -631,7 +631,7 @@ index b3b3fb4bd..5070ecd1e 100644 | |
|
||
return tdxObject.String() | ||
diff --git a/src/runtime/virtcontainers/hypervisor.go b/src/runtime/virtcontainers/hypervisor.go | ||
index 5eb922980..0e5205cc9 100644 | ||
index 5eb922980be33de9afc25ffaae65dd222f976c52..0e5205cc99da99e929365cbfe8637465872addb9 100644 | ||
--- a/src/runtime/virtcontainers/hypervisor.go | ||
+++ b/src/runtime/virtcontainers/hypervisor.go | ||
@@ -545,7 +545,7 @@ type HypervisorConfig struct { | ||
|
@@ -666,7 +666,7 @@ index 5eb922980..0e5205cc9 100644 | |
tdxProtection | ||
|
||
diff --git a/src/runtime/virtcontainers/qemu.go b/src/runtime/virtcontainers/qemu.go | ||
index ba86c3d63..2c6311c06 100644 | ||
index ba86c3d63a6c5158b3d0f7e6ae6af865dddb9d8d..2c6311c067935a2c5da0a1018420bab684b670e8 100644 | ||
--- a/src/runtime/virtcontainers/qemu.go | ||
+++ b/src/runtime/virtcontainers/qemu.go | ||
@@ -681,7 +681,7 @@ func (q *qemu) CreateVM(ctx context.Context, id string, network Network, hypervi | ||
|
@@ -679,7 +679,7 @@ index ba86c3d63..2c6311c06 100644 | |
return err | ||
} | ||
diff --git a/src/runtime/virtcontainers/qemu_amd64.go b/src/runtime/virtcontainers/qemu_amd64.go | ||
index 6ebee26ce..0a0451cba 100644 | ||
index 6ebee26ce34b5137f88a78219340b1f0867bc7a8..0a0451cba1565358225875cf6506381f5d221aec 100644 | ||
--- a/src/runtime/virtcontainers/qemu_amd64.go | ||
+++ b/src/runtime/virtcontainers/qemu_amd64.go | ||
@@ -9,6 +9,8 @@ package virtcontainers | ||
|
@@ -754,7 +754,7 @@ index 6ebee26ce..0a0451cba 100644 | |
+ return base64.StdEncoding.EncodeToString(mrConfigId) | ||
+} | ||
diff --git a/src/runtime/virtcontainers/qemu_amd64_test.go b/src/runtime/virtcontainers/qemu_amd64_test.go | ||
index 1425cb38c..f0a9c691a 100644 | ||
index 1425cb38cfd79ab06b04f1dafbab9b7440901688..f0a9c691a6ffc6356f8f9a335e72b81239a2ef2c 100644 | ||
--- a/src/runtime/virtcontainers/qemu_amd64_test.go | ||
+++ b/src/runtime/virtcontainers/qemu_amd64_test.go | ||
@@ -9,6 +9,10 @@ package virtcontainers | ||
|
@@ -943,7 +943,7 @@ index 1425cb38c..f0a9c691a 100644 | |
+ assert.Equal(expectedOut, devices) | ||
} | ||
diff --git a/src/runtime/virtcontainers/qemu_arch_base.go b/src/runtime/virtcontainers/qemu_arch_base.go | ||
index fd92be772..662466f58 100644 | ||
index fd92be772446f30058d4424f7a330a0bc23ff433..662466f5846c22b4c7fa6b62b1a272258e2e4143 100644 | ||
--- a/src/runtime/virtcontainers/qemu_arch_base.go | ||
+++ b/src/runtime/virtcontainers/qemu_arch_base.go | ||
@@ -162,7 +162,7 @@ type qemuArch interface { | ||
|
@@ -965,7 +965,7 @@ index fd92be772..662466f58 100644 | |
return devices, firmware, nil | ||
} | ||
diff --git a/src/runtime/virtcontainers/qemu_arm64.go b/src/runtime/virtcontainers/qemu_arm64.go | ||
index a9b803f73..112fe358e 100644 | ||
index a9b803f73275c1d5b9212a63fda097ebc33f1c9f..112fe358e4d76700ebe7a1d36e9ae42eb93611b7 100644 | ||
--- a/src/runtime/virtcontainers/qemu_arm64.go | ||
+++ b/src/runtime/virtcontainers/qemu_arm64.go | ||
@@ -154,7 +154,7 @@ func (q *qemuArm64) enableProtection() error { | ||
|
@@ -978,7 +978,7 @@ index a9b803f73..112fe358e 100644 | |
if err != nil { | ||
hvLogger.WithField("arch", runtime.GOARCH).Error(err) | ||
diff --git a/src/runtime/virtcontainers/qemu_arm64_test.go b/src/runtime/virtcontainers/qemu_arm64_test.go | ||
index 07e67ac8c..8b6bd03eb 100644 | ||
index 07e67ac8c1479c67f4b4ffa850dddb8d1e0680e4..8b6bd03eb9d10f0c37dbdbb3fb5fa48585659e96 100644 | ||
--- a/src/runtime/virtcontainers/qemu_arm64_test.go | ||
+++ b/src/runtime/virtcontainers/qemu_arm64_test.go | ||
@@ -182,42 +182,77 @@ func TestQemuArm64AppendProtectionDevice(t *testing.T) { | ||
|
@@ -1066,7 +1066,7 @@ index 07e67ac8c..8b6bd03eb 100644 | |
assert.Empty(bios) | ||
assert.NoError(err) | ||
diff --git a/src/runtime/virtcontainers/qemu_ppc64le.go b/src/runtime/virtcontainers/qemu_ppc64le.go | ||
index d2e0228c8..ed7a14c4d 100644 | ||
index d2e0228c8be8eae3ae24f3aa81b6423735f51320..ed7a14c4dc4262a0f1d77f6efa11310479fa1ecb 100644 | ||
--- a/src/runtime/virtcontainers/qemu_ppc64le.go | ||
+++ b/src/runtime/virtcontainers/qemu_ppc64le.go | ||
@@ -157,7 +157,7 @@ func (q *qemuPPC64le) enableProtection() error { | ||
|
@@ -1079,7 +1079,7 @@ index d2e0228c8..ed7a14c4d 100644 | |
case pefProtection: | ||
return append(devices, | ||
diff --git a/src/runtime/virtcontainers/qemu_ppc64le_test.go b/src/runtime/virtcontainers/qemu_ppc64le_test.go | ||
index 85e1dfe80..0c2f4b923 100644 | ||
index 85e1dfe8050e3c64545e2031420058aad004f2ab..0c2f4b923d5550b67ad8c767124d8414b47d4c0b 100644 | ||
--- a/src/runtime/virtcontainers/qemu_ppc64le_test.go | ||
+++ b/src/runtime/virtcontainers/qemu_ppc64le_test.go | ||
@@ -60,39 +60,63 @@ func TestQemuPPC64leAppendProtectionDevice(t *testing.T) { | ||
|
@@ -1174,7 +1174,7 @@ index 85e1dfe80..0c2f4b923 100644 | |
+ assert.Equal(expectedOut, devices) | ||
} | ||
diff --git a/src/runtime/virtcontainers/qemu_s390x.go b/src/runtime/virtcontainers/qemu_s390x.go | ||
index 29eaafe5b..787a0e589 100644 | ||
index 29eaafe5b3fe0ecf9f10bc49ede3465d2cf8ec3e..787a0e589a71dabb5acaedd66e36bb5f7d9662d0 100644 | ||
--- a/src/runtime/virtcontainers/qemu_s390x.go | ||
+++ b/src/runtime/virtcontainers/qemu_s390x.go | ||
@@ -337,7 +337,7 @@ func (q *qemuS390x) enableProtection() error { | ||
|
@@ -1187,7 +1187,7 @@ index 29eaafe5b..787a0e589 100644 | |
case seProtection: | ||
return append(devices, | ||
diff --git a/src/runtime/virtcontainers/qemu_s390x_test.go b/src/runtime/virtcontainers/qemu_s390x_test.go | ||
index 24a67bdd9..3f5f84aff 100644 | ||
index 24a67bdd9e591ead96fbaea473cb662526dedbf3..3f5f84afffeec6fed0ba624408158425090fe88a 100644 | ||
--- a/src/runtime/virtcontainers/qemu_s390x_test.go | ||
+++ b/src/runtime/virtcontainers/qemu_s390x_test.go | ||
@@ -111,40 +111,64 @@ func TestQemuS390xAppendProtectionDevice(t *testing.T) { | ||
|
@@ -1281,7 +1281,7 @@ index 24a67bdd9..3f5f84aff 100644 | |
+ assert.Equal(expectedOut, devices) | ||
} | ||
diff --git a/src/runtime/virtcontainers/sandbox.go b/src/runtime/virtcontainers/sandbox.go | ||
index ac0d35e9c..ff7a46b4e 100644 | ||
index ac0d35e9c854d6b5eea52e716137fe62414d51a7..ff7a46b4e05dbef2d8d1981897b04e639fda5527 100644 | ||
--- a/src/runtime/virtcontainers/sandbox.go | ||
+++ b/src/runtime/virtcontainers/sandbox.go | ||
@@ -613,6 +613,7 @@ func newSandbox(ctx context.Context, sandboxConfig SandboxConfig, factory Factor | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
From cc68c48a9af8cbdd6ffd8a74d7960adc22150f08 Mon Sep 17 00:00:00 2001 | ||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
From: Markus Rudy <[email protected]> | ||
Date: Wed, 24 Jul 2024 09:48:48 +0200 | ||
Subject: [PATCH] genpolicy: enable sysctl checks | ||
|
@@ -16,7 +16,7 @@ environment-dependent sysctls in the settings file. | |
5 files changed, 62 insertions(+), 1 deletion(-) | ||
|
||
diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json | ||
index fe1625bac..e50d5e545 100644 | ||
index fe1625bac119b59ce2094b2220e2a87c486e670a..e50d5e545e3fe42db486771345310d4c2157be2f 100644 | ||
--- a/src/tools/genpolicy/genpolicy-settings.json | ||
+++ b/src/tools/genpolicy/genpolicy-settings.json | ||
@@ -39,6 +39,10 @@ | ||
|
@@ -44,7 +44,7 @@ index fe1625bac..e50d5e545 100644 | |
}, | ||
"volumes": { | ||
diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego | ||
index 1d95bfe69..a89b13ed1 100644 | ||
index 1d95bfe699bb5082f8bbfb2cc4d89c8bde3a08ec..a89b13ed158ad8524e11ffbdad8ccb1ce7692aed 100644 | ||
--- a/src/tools/genpolicy/rules.rego | ||
+++ b/src/tools/genpolicy/rules.rego | ||
@@ -112,7 +112,6 @@ allow_create_container_input { | ||
|
@@ -88,7 +88,7 @@ index 1d95bfe69..a89b13ed1 100644 | |
# and io.kubernetes.cri.sandbox-id" values with other fields. | ||
allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) { | ||
diff --git a/src/tools/genpolicy/src/containerd.rs b/src/tools/genpolicy/src/containerd.rs | ||
index 075fced5b..2922ea0ab 100644 | ||
index 075fced5bfec11b27e529f0b1d2dba5e6271ba82..2922ea0ab54671269c8eedab3890ba35529db05a 100644 | ||
--- a/src/tools/genpolicy/src/containerd.rs | ||
+++ b/src/tools/genpolicy/src/containerd.rs | ||
@@ -3,6 +3,8 @@ | ||
|
@@ -117,7 +117,7 @@ index 075fced5b..2922ea0ab 100644 | |
} | ||
} | ||
diff --git a/src/tools/genpolicy/src/pod.rs b/src/tools/genpolicy/src/pod.rs | ||
index 19f882239..5030144c6 100644 | ||
index 19f8822395ca225961bcf77bc3e5ae25e3c31119..5030144c6364cd929c53d18a24459748c1ce20aa 100644 | ||
--- a/src/tools/genpolicy/src/pod.rs | ||
+++ b/src/tools/genpolicy/src/pod.rs | ||
@@ -21,6 +21,7 @@ use log::{debug, warn}; | ||
|
@@ -176,7 +176,7 @@ index 19f882239..5030144c6 100644 | |
..Default::default() | ||
}; | ||
diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs | ||
index 973643e1f..adbdf97f3 100644 | ||
index 973643e1f270b589e30e0b2e9235dbfa70df0f20..adbdf97f33c449e905cbf9044a118da4598c69cd 100644 | ||
--- a/src/tools/genpolicy/src/policy.rs | ||
+++ b/src/tools/genpolicy/src/policy.rs | ||
@@ -27,6 +27,7 @@ use serde_yaml::Value; | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
From eed3e15bfd5468480e07b08dbf5266a75a61e076 Mon Sep 17 00:00:00 2001 | ||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
From: Markus Rudy <[email protected]> | ||
Date: Wed, 24 Jul 2024 09:51:57 +0200 | ||
Subject: [PATCH] genpolicy: read bundle-id from rootfs | ||
|
@@ -14,7 +14,7 @@ NOTE: fixes https://github.com/kata-containers/kata-containers/issues/10065 | |
1 file changed, 8 insertions(+), 21 deletions(-) | ||
|
||
diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego | ||
index a89b13ed1..d9b68e3ac 100644 | ||
index a89b13ed158ad8524e11ffbdad8ccb1ce7692aed..d9b68e3ac0758f0d15bc1415300573082d7e1949 100644 | ||
--- a/src/tools/genpolicy/rules.rego | ||
+++ b/src/tools/genpolicy/rules.rego | ||
@@ -509,9 +509,6 @@ allow_linux_sysctl(p_linux, i_linux) { | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
From 551b4a87596fe66741433424872deefbc251ee59 Mon Sep 17 00:00:00 2001 | ||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
From: Paul Meyer <[email protected]> | ||
Date: Thu, 11 Jul 2024 12:05:00 +0200 | ||
Subject: [PATCH] genpolicy: regex check contrast specific layer-src-prefix | ||
|
@@ -9,7 +9,7 @@ Signed-off-by: Paul Meyer <[email protected]> | |
1 file changed, 1 insertion(+), 1 deletion(-) | ||
|
||
diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego | ||
index d9b68e3ac..6ddcd18cd 100644 | ||
index d9b68e3ac0758f0d15bc1415300573082d7e1949..6ddcd18cd1334dfabeadd1b0e7a54c723c7cae4d 100644 | ||
--- a/src/tools/genpolicy/rules.rego | ||
+++ b/src/tools/genpolicy/rules.rego | ||
@@ -905,7 +905,7 @@ allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
From 264156d366f357b71fb697f7f65f9ff84e90c2f8 Mon Sep 17 00:00:00 2001 | ||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
From: Markus Rudy <[email protected]> | ||
Date: Wed, 24 Jul 2024 11:16:37 +0200 | ||
Subject: [PATCH] genpolicy-settings: bump OCI version | ||
|
@@ -9,7 +9,7 @@ Kata hard-codes OCI version 1.1.0, but latest K3S has 1.2.0. | |
1 file changed, 2 insertions(+), 2 deletions(-) | ||
|
||
diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json | ||
index e50d5e545..fcafa46cc 100644 | ||
index e50d5e545e3fe42db486771345310d4c2157be2f..fcafa46cc3b62b74aa5ba08fdbd76fa3370ae77e 100644 | ||
--- a/src/tools/genpolicy/genpolicy-settings.json | ||
+++ b/src/tools/genpolicy/genpolicy-settings.json | ||
@@ -312,7 +312,7 @@ | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
From cfa3376d255617815b8ef10bdc6026bf38a99889 Mon Sep 17 00:00:00 2001 | ||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
From: Markus Rudy <[email protected]> | ||
Date: Mon, 12 Aug 2024 14:18:43 +0200 | ||
Subject: [PATCH] genpolicy-settings: change cpath for Nydus guest pull | ||
|
@@ -10,7 +10,7 @@ https://github.com/kata-containers/kata-containers/blob/775f6bd/tests/integratio | |
1 file changed, 1 insertion(+), 1 deletion(-) | ||
|
||
diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json | ||
index fcafa46cc..4e9f6481d 100644 | ||
index fcafa46cc3b62b74aa5ba08fdbd76fa3370ae77e..4e9f6481d649fc45716f182c394f38059792eb91 100644 | ||
--- a/src/tools/genpolicy/genpolicy-settings.json | ||
+++ b/src/tools/genpolicy/genpolicy-settings.json | ||
@@ -243,7 +243,7 @@ | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
From f9e3e6924f326af2cbac10476f663a6bfb86685a Mon Sep 17 00:00:00 2001 | ||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
From: Markus Rudy <[email protected]> | ||
Date: Thu, 1 Aug 2024 15:58:42 +0200 | ||
Subject: [PATCH] genpolicy: allow image_guest_pull | ||
|
@@ -26,7 +26,7 @@ don't even bother handling that case. | |
create mode 100644 src/tools/genpolicy/tests/testdata/createcontainer/guest_pull/testcases.json | ||
|
||
diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json | ||
index 4e9f6481d..e3b36a655 100644 | ||
index 4e9f6481d649fc45716f182c394f38059792eb91..e3b36a6555a646ffefc7733c807d6b0da9967dea 100644 | ||
--- a/src/tools/genpolicy/genpolicy-settings.json | ||
+++ b/src/tools/genpolicy/genpolicy-settings.json | ||
@@ -148,7 +148,7 @@ | ||
|
@@ -39,7 +39,7 @@ index 4e9f6481d..e3b36a655 100644 | |
"source": "local", | ||
"fstype": "local", | ||
diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego | ||
index 6ddcd18cd..50219c038 100644 | ||
index 6ddcd18cd1334dfabeadd1b0e7a54c723c7cae4d..44af45437f550877652c33019f42b0b29fdcfbdb 100644 | ||
--- a/src/tools/genpolicy/rules.rego | ||
+++ b/src/tools/genpolicy/rules.rego | ||
@@ -80,7 +80,7 @@ CreateContainerRequest { | ||
|
@@ -153,7 +153,7 @@ index 6ddcd18cd..50219c038 100644 | |
+ p_mount_point := concat("/", [policy_data.common.cpath, bundle_id, "rootfs"]) | ||
+ print("allow_storages 1: i_storage.mount_point =", i_storage.mount_point, "p_mount_point =", p_mount_point) | ||
+ i_storage.mount_point == p_mount_point | ||
+ | ||
+ | ||
+ print("allow_storages 1: p_container.image =", p_container.image, "i_storage.source =", i_storage.source) | ||
+ | ||
+ count(i_storage.driver_options) == 1 | ||
|
@@ -215,7 +215,7 @@ index 6ddcd18cd..50219c038 100644 | |
+} | ||
+ | ||
+# Allow tardev-snapshotter storage | ||
+allow_storages(p_container, i_storages, bundle_id, sandbox_id) { | ||
+allow_storages(p_container, i_storages, bundle_id, sandbox_id) { | ||
+ p_storages := p_container.storages | ||
p_count := count(p_storages) | ||
i_count := count(i_storages) | ||
|
@@ -249,7 +249,7 @@ index 6ddcd18cd..50219c038 100644 | |
|
||
allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hashes) { | ||
diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs | ||
index adbdf97f3..c4dc4ac3c 100644 | ||
index adbdf97f33c449e905cbf9044a118da4598c69cd..c4dc4ac3c2a10211909ae8ee8d77050add0e5cc1 100644 | ||
--- a/src/tools/genpolicy/src/policy.rs | ||
+++ b/src/tools/genpolicy/src/policy.rs | ||
@@ -270,6 +270,9 @@ pub struct ContainerPolicy { | ||
|
@@ -271,7 +271,7 @@ index adbdf97f3..c4dc4ac3c 100644 | |
devices, | ||
sandbox_pidns, | ||
diff --git a/src/tools/genpolicy/tests/main.rs b/src/tools/genpolicy/tests/main.rs | ||
index 565b3e2a0..a3a08d96e 100644 | ||
index 565b3e2a0b0368ccbecd778cb70fa9f94596de51..a3a08d96e865eb992ef5607ec050a58ea0749dfc 100644 | ||
--- a/src/tools/genpolicy/tests/main.rs | ||
+++ b/src/tools/genpolicy/tests/main.rs | ||
@@ -9,7 +9,7 @@ use std::path; | ||
|
@@ -294,7 +294,7 @@ index 565b3e2a0..a3a08d96e 100644 | |
+} | ||
diff --git a/src/tools/genpolicy/tests/testdata/createcontainer/guest_pull/pod.yaml b/src/tools/genpolicy/tests/testdata/createcontainer/guest_pull/pod.yaml | ||
new file mode 100644 | ||
index 000000000..203af19a6 | ||
index 0000000000000000000000000000000000000000..203af19a6f7a200580cdd39cd38e50fe23403710 | ||
--- /dev/null | ||
+++ b/src/tools/genpolicy/tests/testdata/createcontainer/guest_pull/pod.yaml | ||
@@ -0,0 +1,11 @@ | ||
|
@@ -311,7 +311,7 @@ index 000000000..203af19a6 | |
+ privileged: true | ||
diff --git a/src/tools/genpolicy/tests/testdata/createcontainer/guest_pull/testcases.json b/src/tools/genpolicy/tests/testdata/createcontainer/guest_pull/testcases.json | ||
new file mode 100644 | ||
index 000000000..2f21e0674 | ||
index 0000000000000000000000000000000000000000..2f21e0674e496f9d496553311cb4c24f96449401 | ||
--- /dev/null | ||
+++ b/src/tools/genpolicy/tests/testdata/createcontainer/guest_pull/testcases.json | ||
@@ -0,0 +1,2027 @@ | ||
|
Oops, something went wrong.