genpolicy: add patches for volume mounting

edgelesssys · Sep 13, 2024 · b8e0c90 · b8e0c90
1 parent cdb7cbe
commit b8e0c90
Show file tree

Hide file tree

Showing 8 changed files with 116 additions and 17 deletions.
diff --git a/...es/by-name/microsoft/genpolicy/0001-genpolicy-add-rules-and-types-for-volumeDevices.patch b/...es/by-name/microsoft/genpolicy/0001-genpolicy-add-rules-and-types-for-volumeDevices.patch
@@ -1,7 +1,7 @@
-From 6b3b7179f3bc4b6109b9953d8447f763370840b4 Mon Sep 17 00:00:00 2001
+From 41f26a5803fa50abf3bd0d6cfebc8106ae9dcbc8 Mon Sep 17 00:00:00 2001
 From: Markus Rudy <[email protected]>
 Date: Thu, 23 May 2024 09:20:20 +0200
-Subject: [PATCH 1/4] genpolicy: add rules and types for volumeDevices
+Subject: [PATCH 1/6] genpolicy: add rules and types for volumeDevices
 
 Signed-off-by: Markus Rudy <[email protected]>
 ---
@@ -231,5 +231,5 @@ index 0a768ed8e..61d0ce3f0 100644
  }
 
 -- 
-2.45.1
+2.34.1
 
diff --git a/...-name/microsoft/genpolicy/0002-genpolicy-add-ability-to-filter-for-runtimeClassName.patch b/...-name/microsoft/genpolicy/0002-genpolicy-add-ability-to-filter-for-runtimeClassName.patch
@@ -1,7 +1,7 @@
-From 2752fe7dd88dd8b09c2fb041f30f607c871cc2b9 Mon Sep 17 00:00:00 2001
+From c890911981a072a14c69d92f82ece28e5d55d7fa Mon Sep 17 00:00:00 2001
 From: Paul Meyer <[email protected]>
 Date: Tue, 9 Jul 2024 16:07:09 +0200
-Subject: [PATCH 2/4] genpolicy: add ability to filter for runtimeClassName
+Subject: [PATCH 2/6] genpolicy: add ability to filter for runtimeClassName
 
 Signed-off-by: Paul Meyer <[email protected]>
 ---
@@ -176,5 +176,5 @@ index 8f06d291e..c898240af 100644
 
  /// See Reference / Kubernetes API / Common Definitions / LabelSelector.
 -- 
-2.45.1
+2.34.1
 
diff --git a/packages/by-name/microsoft/genpolicy/0003-genpolicy-allow-specifying-layer-cache-file.patch b/packages/by-name/microsoft/genpolicy/0003-genpolicy-allow-specifying-layer-cache-file.patch
@@ -1,7 +1,7 @@
-From 7d5195b5e7b6b3e0d9619e1b782969ba9be0fbe8 Mon Sep 17 00:00:00 2001
+From cf495b76fe64e56b3c18a7175cb4e01d27d02dc7 Mon Sep 17 00:00:00 2001
 From: Paul Meyer <[email protected]>
 Date: Tue, 9 Jul 2024 16:14:46 +0200
-Subject: [PATCH 3/4] genpolicy: allow specifying layer cache file
+Subject: [PATCH 3/6] genpolicy: allow specifying layer cache file
 
 Add --layers-cache-file-path flag to allow the user to
 specify where the cache file for the container layers
@@ -267,5 +267,5 @@ index 2402c2ed2..7579d74bf 100644
          }
      }
 -- 
-2.45.1
+2.34.1
 
diff --git a/...-name/microsoft/genpolicy/0004-genpolicy-regex-check-contrast-specific-layer-src-pr.patch b/...-name/microsoft/genpolicy/0004-genpolicy-regex-check-contrast-specific-layer-src-pr.patch
@@ -1,25 +1,26 @@
-From b631f031ef231372595243699a95d9d6e50e86bf Mon Sep 17 00:00:00 2001
+From 3b444c242de3bc130f0cf73d1a89ab540690c9f0 Mon Sep 17 00:00:00 2001
 From: Paul Meyer <[email protected]>
 Date: Thu, 11 Jul 2024 12:05:00 +0200
-Subject: [PATCH 4/4] genpolicy: regex check contrast specific layer-src-prefix
+Subject: [PATCH 4/6] genpolicy: regex check contrast specific layer-src-prefix
 
 Signed-off-by: Paul Meyer <[email protected]>
 ---
  src/tools/genpolicy/rules.rego | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
-index 25c16bada..4f622a9f7 100644
+index 25c16bada..d933b928d 100644
 --- a/src/tools/genpolicy/rules.rego
 +++ b/src/tools/genpolicy/rules.rego
 @@ -887,7 +887,7 @@ allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) {
      i_count == p_count + 3
-
+ 
      print("allow_storage_options 2: i_storage.options[0] =", i_storage.options[0])
 -    i_storage.options[0] == "io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers"
 +    regex.match(`io\.katacontainers\.fs-opt\.layer-src-prefix=/var/lib/containerd/io\.containerd\.snapshotter\.v1\.tardev-contrast-cc-(aks|k3s|rke2)-(qemu|clh)-(snp|tdx)-[a-f0-9]{8}/layers`, i_storage.options[0])
-
+ 
      print("allow_storage_options 2: i_storage.options[i_count - 2] =", i_storage.options[i_count - 2])
      i_storage.options[i_count - 2] == "io.katacontainers.fs-opt.overlay-rw"
---
-2.45.1
+-- 
+2.34.1
+
diff --git a/...s/by-name/microsoft/genpolicy/0005-genpolicy-propagate-mount_options-for-empty-dirs.patch b/...s/by-name/microsoft/genpolicy/0005-genpolicy-propagate-mount_options-for-empty-dirs.patch
@@ -0,0 +1,60 @@
+From e60354b386c9b50ee5f3a0804be66152fe0849d7 Mon Sep 17 00:00:00 2001
+From: Leonard Cohnen <[email protected]>
+Date: Thu, 29 Aug 2024 03:45:24 +0200
+Subject: [PATCH 5/6] genpolicy: propagate mount_options for empty dirs
+
+In order to mount empty dirs e.g., with mount propagation "Bidirectional", we need the yaml value to the policy
+---
+ src/tools/genpolicy/src/mount_and_storage.rs | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/src/tools/genpolicy/src/mount_and_storage.rs b/src/tools/genpolicy/src/mount_and_storage.rs
+index 520d3a8cb..05a4521f0 100644
+--- a/src/tools/genpolicy/src/mount_and_storage.rs
++++ b/src/tools/genpolicy/src/mount_and_storage.rs
+@@ -127,7 +127,14 @@ pub fn get_mount_and_storage(
+         } else {
+             false
+         };
+-        get_empty_dir_mount_and_storage(settings, p_mounts, storages, yaml_mount, memory_medium);
++        get_empty_dir_mount_and_storage(
++            settings,
++            p_mounts,
++            storages,
++            yaml_mount,
++            memory_medium,
++            mount_options,
++        );
+     } else if yaml_volume.persistentVolumeClaim.is_some() {
+         get_persistent_volume_claim_mount(
+             settings,
+@@ -169,6 +176,7 @@ fn get_empty_dir_mount_and_storage(
+     storages: &mut Vec<agent::Storage>,
+     yaml_mount: &pod::VolumeMount,
+     memory_medium: bool,
++    mount_options: (&str, &str),
+ ) {
+     let settings_volumes = &settings.volumes;
+     let settings_empty_dir = if memory_medium {
+@@ -204,14 +212,16 @@ fn get_empty_dir_mount_and_storage(
+         &settings_empty_dir.mount_type
+     };
+
++    let (propagation, access) = mount_options;
++
+     p_mounts.push(policy::KataMount {
+         destination: yaml_mount.mountPath.to_string(),
+         type_: mount_type.to_string(),
+         source,
+         options: vec![
+             "rbind".to_string(),
+-            "rprivate".to_string(),
+-            "rw".to_string(),
++            propagation.to_string(),
++            access.to_string(),
+         ],
+     });
+ }
+-- 
+2.34.1
+
diff --git a/...y-name/microsoft/genpolicy/0006-genpolicy-support-HostToContainer-mount-propagation.patch b/...y-name/microsoft/genpolicy/0006-genpolicy-support-HostToContainer-mount-propagation.patch
@@ -0,0 +1,28 @@
+From 8255b303a8d1c21ed22f2d9f7166101de151a9f4 Mon Sep 17 00:00:00 2001
+From: Leonard Cohnen <[email protected]>
+Date: Fri, 30 Aug 2024 00:30:57 +0200
+Subject: [PATCH 6/6] genpolicy: support HostToContainer mount propagation
+
+---
+ src/tools/genpolicy/src/mount_and_storage.rs | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/tools/genpolicy/src/mount_and_storage.rs b/src/tools/genpolicy/src/mount_and_storage.rs
+index 05a4521f0..c81dc0c52 100644
+--- a/src/tools/genpolicy/src/mount_and_storage.rs
++++ b/src/tools/genpolicy/src/mount_and_storage.rs
+@@ -108,8 +108,9 @@ pub fn get_mount_and_storage(
+     yaml_volume: &volume::Volume,
+     yaml_mount: &pod::VolumeMount,
+ ) {
+-    let propagation = match &yaml_mount.mountPropagation {
+-        Some(p) if p == "Bidirectional" => "rshared",
++    let propagation = match yaml_mount.mountPropagation.as_deref() {
++        Some("Bidirectional") => "rshared",
++        Some("HostToContainer") => "rslave",
+         _ => "rprivate",
+     };
+
+-- 
+2.34.1
+
diff --git a/packages/by-name/microsoft/genpolicy/genpolicy_msft_rules_coordinator.patch b/packages/by-name/microsoft/genpolicy/genpolicy_msft_rules_coordinator.patch
@@ -2,7 +2,7 @@ diff --git a/genpolicy-rules.rego b/genpolicy-rules.rego
 index c3eb334..a796740 100644
 --- a/genpolicy-rules.rego
 +++ b/genpolicy-rules.rego
-@@ -164,9 +164,9 @@ allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, s_name) {
+@@ -164,8 +164,8 @@ allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, s_name) {
      p_namespace := p_oci.Annotations[s_namespace]
      i_namespace := i_oci.Annotations[s_namespace]
      print("allow_by_sandbox_name: p_namespace =", p_namespace, "i_namespace =", i_namespace)

diff --git a/packages/by-name/microsoft/genpolicy/package.nix b/packages/by-name/microsoft/genpolicy/package.nix
@@ -45,6 +45,16 @@ rustPlatform.buildRustPackage rec {
       #
       # This patch is not upstreamable.
       ./0004-genpolicy-regex-check-contrast-specific-layer-src-pr.patch
+      # This patch builds on top of the Azure CSI patches specific to the msft
+      # version of genpolicy. Therefore, we don't attempt to upstream those changes.
+      # We can revisit this if microsoft upstreamed
+      # https://github.com/microsoft/kata-containers/pull/174
+      ./0005-genpolicy-propagate-mount_options-for-empty-dirs.patch
+      # This patch builds on top of the Azure CSI patches specific to the msft
+      # version of genpolicy. Therefore, we don't attempt to upstream those changes.
+      # We can revisit this if microsoft upstreamed
+      # https://github.com/microsoft/kata-containers/pull/174
+      ./0006-genpolicy-support-HostToContainer-mount-propagation.patch
     ];
   };