cli: platform dependent genpolicy config

cli/cmd/common.go

@@ -31,12 +31,6 @@ const (
 )
 
 var (
-	//go:embed assets/genpolicy
-	genpolicyBin []byte
-	//go:embed assets/genpolicy-settings.json
-	defaultGenpolicySettings []byte
-	//go:embed assets/genpolicy-rules.rego
-	defaultRules []byte
 	// ReleaseImageReplacements contains the image replacements used by contrast.
 	//go:embed assets/image-replacements.txt
 	ReleaseImageReplacements []byte

cli/cmd/generate.go

@@ -100,7 +100,7 @@ func runGenerate(cmd *cobra.Command, args []string) error {
 	}
 	fmt.Fprintln(cmd.OutOrStdout(), "✔️ Patched targets")
 
-	if err := generatePolicies(cmd.Context(), flags.policyPath, flags.settingsPath, flags.genpolicyCachePath, paths, log); err != nil {
+	if err := generatePolicies(cmd.Context(), flags, paths, log); err != nil {
 		return fmt.Errorf("failed to generate policies: %w", err)
 	}
 	fmt.Fprintln(cmd.OutOrStdout(), "✔️ Generated workload policy annotations")
@@ -233,15 +233,16 @@ func filterNonCoCoRuntime(runtimeClassNamePrefix string, paths []string, logger
 	return filtered
 }
 
-func generatePolicies(ctx context.Context, regoRulesPath, policySettingsPath, genpolicyCachePath string, yamlPaths []string, logger *slog.Logger) error {
-	if err := createFileWithDefault(policySettingsPath, 0o644, func() ([]byte, error) { return defaultGenpolicySettings, nil }); err != nil {
+func generatePolicies(ctx context.Context, flags *generateFlags, yamlPaths []string, logger *slog.Logger) error {
+	cfg := genpolicy.NewConfig(flags.referenceValuesPlatform)
+	if err := createFileWithDefault(flags.settingsPath, 0o644, func() ([]byte, error) { return cfg.Settings, nil }); err != nil {
 		return fmt.Errorf("creating default policy file: %w", err)
 	}
-	if err := createFileWithDefault(regoRulesPath, 0o644, func() ([]byte, error) { return defaultRules, nil }); err != nil {
+	if err := createFileWithDefault(flags.policyPath, 0o644, func() ([]byte, error) { return cfg.Rules, nil }); err != nil {
 		return fmt.Errorf("creating default policy.rego file: %w", err)
 	}
 
-	runner, err := genpolicy.New(genpolicyBin, regoRulesPath, policySettingsPath, genpolicyCachePath)
+	runner, err := genpolicy.New(flags.policyPath, flags.settingsPath, flags.genpolicyCachePath)
 	if err != nil {
 		return fmt.Errorf("perparing genpolicy: %w", err)
 	}

cli/genpolicy/assets/allow-all.rego

@@ -0,0 +1,43 @@
+# Copyright (c) 2023 Microsoft Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+package agent_policy
+
+default AddARPNeighborsRequest := true
+default AddSwapRequest := true
+default CloseStdinRequest := true
+default CopyFileRequest := true
+default CreateContainerRequest := true
+default CreateSandboxRequest := true
+default DestroySandboxRequest := true
+default ExecProcessRequest := true
+default GetMetricsRequest := true
+default GetOOMEventRequest := true
+default GuestDetailsRequest := true
+default ListInterfacesRequest := true
+default ListRoutesRequest := true
+default MemHotplugByProbeRequest := true
+default OnlineCPUMemRequest := true
+default PauseContainerRequest := true
+default PullImageRequest := true
+default ReadStreamRequest := true
+default RemoveContainerRequest := true
+default RemoveStaleVirtiofsShareMountsRequest := true
+default ReseedRandomDevRequest := true
+default ResumeContainerRequest := true
+default SetGuestDateTimeRequest := true
+default SetPolicyRequest := true
+default SignalProcessRequest := true
+default StartContainerRequest := true
+default StartTracingRequest := true
+default StatsContainerRequest := true
+default StopTracingRequest := true
+default TtyWinResizeRequest := true
+default UpdateContainerRequest := true
+default UpdateEphemeralMountsRequest := true
+default UpdateInterfaceRequest := true
+default UpdateRoutesRequest := true
+default WaitProcessRequest := true
+default WriteStreamRequest := true

cli/genpolicy/config.go

@@ -0,0 +1,40 @@
+// Copyright 2024 Edgeless Systems GmbH
+// SPDX-License-Identifier: AGPL-3.0-only
+
+package genpolicy
+
+import (
+	_ "embed"
+
+	"github.com/edgelesssys/contrast/node-installer/platforms"
+)
+
+var (
+	//go:embed assets/genpolicy
+	genpolicyBin []byte
+	//go:embed assets/genpolicy-settings.json
+	defaultGenpolicySettings []byte
+	//go:embed assets/genpolicy-rules.rego
+	aksCloudHypervisorSNPRules []byte
+	//go:embed assets/allow-all.rego
+	permissiveRules []byte
+)
+
+type Config struct {
+	Rules    []byte
+	Settings []byte
+}
+
+func NewConfig(platform platforms.Platform) *Config {
+	cfg := &Config{
+		Settings: defaultGenpolicySettings,
+	}
+	switch platform {
+	case platforms.AKSCloudHypervisorSNP:
+		cfg.Rules = aksCloudHypervisorSNPRules
+	default:
+		// TODO(burgerdev): use real rules for supported platforms.
+		cfg.Rules = permissiveRules
+	}
+	return cfg
+}

cli/genpolicy/genpolicy.go

@@ -28,7 +28,7 @@ type Runner struct {
 }
 
 // New creates a new Runner for the given configuration.
-func New(genpolicyBin []byte, rulesPath, settingsPath, cachePath string) (*Runner, error) {
+func New(rulesPath, settingsPath, cachePath string) (*Runner, error) {
 	e := embedbin.New()
 	genpolicy, err := e.Install("", genpolicyBin)
 	if err != nil {

cli/genpolicy/genpolicy_test.go

@@ -48,7 +48,7 @@ func TestRunner(t *testing.T) {
 	logger := slog.Default()
 
 	d := t.TempDir()
-	genpolicyBin := []byte(fmt.Sprintf(scriptTemplate, d))
+	genpolicyBin = []byte(fmt.Sprintf(scriptTemplate, d))
 
 	expectedRulesPath := "/rules.rego"
 	rulesPathFile := filepath.Join(d, "rules_path")
@@ -58,7 +58,7 @@ func TestRunner(t *testing.T) {
 	expectedYAMLPath := filepath.Join(d, "test.yaml")
 	yamlPathFile := filepath.Join(d, "yaml_path")
 
-	r, err := New(genpolicyBin, expectedRulesPath, expectedSettingsPath, cachePath)
+	r, err := New(expectedRulesPath, expectedSettingsPath, cachePath)
 	require.NoError(err)
 
 	require.NoError(r.Run(ctx, expectedYAMLPath, logger))

packages/by-name/cli-release/package.nix

@@ -11,9 +11,9 @@
 (contrast.overrideAttrs (
   _finalAttrs: previousAttrs: {
     prePatch = ''
-      install -D ${lib.getExe genpolicy} cli/cmd/assets/genpolicy
-      install -D ${contrast.settings}/genpolicy-settings.json cli/cmd/assets/genpolicy-settings.json
-      install -D ${contrast.rules}/genpolicy-rules.rego cli/cmd/assets/genpolicy-rules.rego
+      install -D ${lib.getExe genpolicy} cli/genpolicy/assets/genpolicy
+      install -D ${contrast.settings}/genpolicy-settings.json cli/genpolicy/assets/genpolicy-settings.json
+      install -D ${contrast.rules}/genpolicy-rules.rego cli/genpolicy/assets/genpolicy-rules.rego
     '';
 
     ldflags = previousAttrs.ldflags ++ [

packages/by-name/contrast/package.nix

@@ -73,6 +73,7 @@ buildGoModule rec {
         (path.append root "go.mod")
         (path.append root "go.sum")
         (path.append root "cli/cmd/assets/image-replacements.txt")
+        (path.append root "cli/genpolicy/assets/allow-all.rego")
         (path.append root "internal/attestation/snp/Milan.pem")
         (path.append root "internal/attestation/snp/Genoa.pem")
         (path.append root "node-installer")
@@ -90,9 +91,9 @@ buildGoModule rec {
   subPackages = packageOutputs ++ [ "internal/kuberesource/resourcegen" ];
 
   prePatch = ''
-    install -D ${lib.getExe genpolicy} cli/cmd/assets/genpolicy
-    install -D ${genpolicy.settings-dev}/genpolicy-settings.json cli/cmd/assets/genpolicy-settings.json
-    install -D ${genpolicy.rules}/genpolicy-rules.rego cli/cmd/assets/genpolicy-rules.rego
+    install -D ${lib.getExe genpolicy} cli/genpolicy/assets/genpolicy
+    install -D ${genpolicy.settings-dev}/genpolicy-settings.json cli/genpolicy/assets/genpolicy-settings.json
+    install -D ${genpolicy.rules}/genpolicy-rules.rego cli/genpolicy/assets/genpolicy-rules.rego
   '';
 
   CGO_ENABLED = 0;