kata.kata-runtime: 3.11.0 -> 3.12.0

Signed-off-by: Paul Meyer <[email protected]>
edgelesssys · Jan 3, 2025 · d4892d3 · d4892d3
1 parent 682d964
commit d4892d3
Show file tree

Hide file tree

Showing 15 changed files with 60 additions and 65 deletions.
diff --git a/packages/by-name/kata/kata-kernel-uvm/package.nix b/packages/by-name/kata/kata-kernel-uvm/package.nix
@@ -19,7 +19,7 @@ let
 
     src = fetchzip {
       url = "https://github.com/kata-containers/kata-containers/releases/download/${version}/kata-static-${version}-amd64.tar.xz";
-      hash = "sha256-zxCp7iDVq/Oy21S5pv/z6iVCrFF02UHYjd/JAB8iUzQ=";
+      hash = "sha256-a0clnxq1vtaq9QpmFO6UBkU5Ecc5LcjqCH6/R7NBXMw=";
       stripRoot = false;
     };
 

diff --git a/packages/by-name/kata/kata-runtime/0003-runtime-agent-verify-the-agent-policy-hash.patch b/packages/by-name/kata/kata-runtime/0003-runtime-agent-verify-the-agent-policy-hash.patch
@@ -270,7 +270,7 @@ index 5dd9c1e2616b8cd47a60a5644ec9d88705fe3fbd..b8b216c6b24829a457ae55209c63d091
 
  [[bin]]
 diff --git a/src/agent/src/main.rs b/src/agent/src/main.rs
-index 3e2e22d698f98c9ea3bb9807694e8d93f5cd8d9a..8912b8c76b64619f5251fd2f95c2da2e2f45937e 100644
+index 17d1d34a147d58fe6cab10d21b54af4fffc4be63..033aac8530390129638d6feff64818d3ebbce20d 100644
 --- a/src/agent/src/main.rs
 +++ b/src/agent/src/main.rs
 @@ -85,6 +85,10 @@ mod tracer;

diff --git a/packages/by-name/kata/kata-runtime/0004-genpolicy-enable-sysctl-checks.patch b/packages/by-name/kata/kata-runtime/0004-genpolicy-enable-sysctl-checks.patch
@@ -16,7 +16,7 @@ environment-dependent sysctls in the settings file.
  5 files changed, 61 insertions(+), 1 deletion(-)
 
 diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json
-index fe1625bac119b59ce2094b2220e2a87c486e670a..e50d5e545e3fe42db486771345310d4c2157be2f 100644
+index 5bbb306e3f4a2c01f482da11b2b27da502635c1d..c84550181b98913ece32eff3e2a7a0164ec2ce12 100644
 --- a/src/tools/genpolicy/genpolicy-settings.json
 +++ b/src/tools/genpolicy/genpolicy-settings.json
 @@ -39,6 +39,10 @@
@@ -44,26 +44,26 @@ index fe1625bac119b59ce2094b2220e2a87c486e670a..e50d5e545e3fe42db486771345310d4c
      },
      "volumes": {
 diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
-index ed6b4893a9c4c8b49dc26cc645d763ee7e36eb4f..1a7f7107030b4af11a43e26b6481d3a0016f7816 100644
+index 6caba4435722f22712f42502e881957f2206b8f2..b2fdb5813a1ff17ceab60cae61b31868316b1f85 100644
 --- a/src/tools/genpolicy/rules.rego
 +++ b/src/tools/genpolicy/rules.rego
-@@ -120,7 +120,6 @@ allow_create_container_input {
+@@ -129,7 +129,6 @@ allow_create_container_input {
      is_null(i_linux.Resources.Network)
      is_null(i_linux.Resources.Pids)
      is_null(i_linux.Seccomp)
 -    i_linux.Sysctl == {}
 
      i_process := i_oci.Process
      count(i_process.SelinuxLabel) == 0
-@@ -438,6 +437,7 @@ allow_linux(p_oci, i_oci) {
+@@ -451,6 +450,7 @@ allow_linux(p_oci, i_oci) {
      allow_masked_paths(p_oci, i_oci)
      allow_readonly_paths(p_oci, i_oci)
      allow_linux_devices(p_oci.Linux.Devices, i_oci.Linux.Devices)
 +    allow_linux_sysctl(p_oci.Linux, i_oci.Linux)
 
      print("allow_linux: true")
  }
-@@ -536,6 +536,23 @@ allow_linux_devices(p_devices, i_devices) {
+@@ -549,6 +549,23 @@ allow_linux_devices(p_devices, i_devices) {
      print("allow_linux_devices: true")
  }
 
@@ -176,7 +176,7 @@ index 19f8822395ca225961bcf77bc3e5ae25e3c31119..1769ca02e1e159e977d22e216b540e29
          ..Default::default()
      };
 diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs
-index 973643e1f270b589e30e0b2e9235dbfa70df0f20..c2753c0f89f28638f955903db412407cb6b90ef9 100644
+index 656e410668eb4c5fbcddcb732f36325bcfc0e372..6ce6805b299d0ea1d233fb11992b7a7065130cdb 100644
 --- a/src/tools/genpolicy/src/policy.rs
 +++ b/src/tools/genpolicy/src/policy.rs
 @@ -180,14 +180,20 @@ pub struct KataLinux {
@@ -200,7 +200,7 @@ index 973643e1f270b589e30e0b2e9235dbfa70df0f20..c2753c0f89f28638f955903db412407c
  }
 
  /// OCI container LinuxNamespace struct. This struct is similar to the LinuxNamespace
-@@ -616,6 +622,9 @@ impl AgentPolicy {
+@@ -606,6 +612,9 @@ impl AgentPolicy {
              linux.Devices.push(default_device.clone())
          }
 

diff --git a/packages/by-name/kata/kata-runtime/0005-genpolicy-read-bundle-id-from-rootfs.patch b/packages/by-name/kata/kata-runtime/0005-genpolicy-read-bundle-id-from-rootfs.patch
@@ -14,10 +14,10 @@ NOTE: fixes https://github.com/kata-containers/kata-containers/issues/10065
  1 file changed, 8 insertions(+), 21 deletions(-)
 
 diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
-index 1a7f7107030b4af11a43e26b6481d3a0016f7816..b9ea01e439b55c12600765a73321e76b8311d5a4 100644
+index b2fdb5813a1ff17ceab60cae61b31868316b1f85..96f33012ca5fbfef0dc748dc80ad1114dda47338 100644
 --- a/src/tools/genpolicy/rules.rego
 +++ b/src/tools/genpolicy/rules.rego
-@@ -558,9 +558,6 @@ allow_linux_sysctl(p_linux, i_linux) {
+@@ -571,9 +571,6 @@ allow_linux_sysctl(p_linux, i_linux) {
  allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) {
      print("allow_by_bundle_or_sandbox_id: start")
 
@@ -27,7 +27,7 @@ index 1a7f7107030b4af11a43e26b6481d3a0016f7816..b9ea01e439b55c12600765a73321e76b
      key := "io.kubernetes.cri.sandbox-id"
 
      p_regex := p_oci.Annotations[key]
-@@ -569,7 +566,14 @@ allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) {
+@@ -582,7 +579,14 @@ allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) {
      print("allow_by_bundle_or_sandbox_id: sandbox_id =", sandbox_id, "regex =", p_regex)
      regex.match(p_regex, sandbox_id)
 
@@ -43,7 +43,7 @@ index 1a7f7107030b4af11a43e26b6481d3a0016f7816..b9ea01e439b55c12600765a73321e76b
 
      every i_mount in input.OCI.Mounts {
          allow_mount(p_oci, i_mount, bundle_id, sandbox_id)
-@@ -820,23 +824,6 @@ is_ip_other_byte(component) {
+@@ -833,23 +837,6 @@ is_ip_other_byte(component) {
      number <= 255
  }
 

diff --git a/...by-name/kata/kata-runtime/0006-genpolicy-regex-check-contrast-specific-layer-src-pr.patch b/...by-name/kata/kata-runtime/0006-genpolicy-regex-check-contrast-specific-layer-src-pr.patch
@@ -9,10 +9,10 @@ Signed-off-by: Paul Meyer <[email protected]>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
-index b9ea01e439b55c12600765a73321e76b8311d5a4..d86a8718e221e1b428d34db5af97911f9609d392 100644
+index 96f33012ca5fbfef0dc748dc80ad1114dda47338..e6514cc2ced38b73ce925698edadee52b11ff9a7 100644
 --- a/src/tools/genpolicy/rules.rego
 +++ b/src/tools/genpolicy/rules.rego
-@@ -954,7 +954,7 @@ allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) {
+@@ -967,7 +967,7 @@ allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) {
      i_count == p_count + 3
 
      print("allow_storage_options 2: i_storage.options[0] =", i_storage.options[0])

diff --git a/packages/by-name/kata/kata-runtime/0007-genpolicy-rules-remove-check-for-OCI-version.patch b/packages/by-name/kata/kata-runtime/0007-genpolicy-rules-remove-check-for-OCI-version.patch
@@ -9,12 +9,12 @@ Signed-off-by: Paul Meyer <[email protected]>
  1 file changed, 3 deletions(-)
 
 diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
-index d86a8718e221e1b428d34db5af97911f9609d392..8562a2946889a9c52f46d86382821638c4ac59de 100644
+index e6514cc2ced38b73ce925698edadee52b11ff9a7..63d5e30ac64cdd8bab94e982423646de1b8559e6 100644
 --- a/src/tools/genpolicy/rules.rego
 +++ b/src/tools/genpolicy/rules.rego
-@@ -79,9 +79,6 @@ CreateContainerRequest:= {"ops": ops, "allowed": true} {
-
-     p_oci := p_container.OCI
+@@ -88,9 +88,6 @@ CreateContainerRequest:= {"ops": ops, "allowed": true} {
+     add_namespace_to_state := allow_namespace(p_namespace, i_namespace)
+     ops := concat_op_if_not_null(ops_builder1, add_namespace_to_state)
 
 -    print("CreateContainerRequest: p Version =", p_oci.Version, "i Version =", i_oci.Version)
 -    p_oci.Version == i_oci.Version

diff --git a/...by-name/kata/kata-runtime/0008-genpolicy-settings-change-cpath-for-Nydus-guest-pull.patch b/...by-name/kata/kata-runtime/0008-genpolicy-settings-change-cpath-for-Nydus-guest-pull.patch
@@ -10,7 +10,7 @@ https://github.com/kata-containers/kata-containers/blob/775f6bd/tests/integratio
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json
-index e50d5e545e3fe42db486771345310d4c2157be2f..d2d1511ae75d56c4f39915515343b2cd20d9d65a 100644
+index c84550181b98913ece32eff3e2a7a0164ec2ce12..0e75bac710f5ab04d5ab941a79a0484663f3ae70 100644
 --- a/src/tools/genpolicy/genpolicy-settings.json
 +++ b/src/tools/genpolicy/genpolicy-settings.json
 @@ -243,7 +243,7 @@

diff --git a/packages/by-name/kata/kata-runtime/0009-genpolicy-allow-image_guest_pull.patch b/packages/by-name/kata/kata-runtime/0009-genpolicy-allow-image_guest_pull.patch
@@ -16,17 +16,17 @@ image reference without a digest cannot be meaningfully checked, so we
 don't even bother handling that case.
 ---
  src/tools/genpolicy/genpolicy-settings.json   |    2 +-
- src/tools/genpolicy/rules.rego                |  116 +-
+ src/tools/genpolicy/rules.rego                |  121 +-
  src/tools/genpolicy/src/policy.rs             |    4 +
  src/tools/genpolicy/tests/main.rs             |    7 +-
  .../createcontainer/guest_pull/pod.yaml       |   11 +
  .../createcontainer/guest_pull/testcases.json | 2027 +++++++++++++++++
- 6 files changed, 2147 insertions(+), 20 deletions(-)
+ 6 files changed, 2151 insertions(+), 21 deletions(-)
  create mode 100644 src/tools/genpolicy/tests/testdata/createcontainer/guest_pull/pod.yaml
  create mode 100644 src/tools/genpolicy/tests/testdata/createcontainer/guest_pull/testcases.json
 
 diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json
-index d2d1511ae75d56c4f39915515343b2cd20d9d65a..ef20413eacc029d4fcb0b1d2f538a13314a25670 100644
+index 0e75bac710f5ab04d5ab941a79a0484663f3ae70..1b6ab8380d16fbf71638f3965719bf3a018a3f0c 100644
 --- a/src/tools/genpolicy/genpolicy-settings.json
 +++ b/src/tools/genpolicy/genpolicy-settings.json
 @@ -148,7 +148,7 @@
@@ -39,10 +39,10 @@ index d2d1511ae75d56c4f39915515343b2cd20d9d65a..ef20413eacc029d4fcb0b1d2f538a133
              "source": "local",
              "fstype": "local",
 diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
-index 8562a2946889a9c52f46d86382821638c4ac59de..bdacdcbcd92302efcd5243da904b611b43a1ec93 100644
+index 63d5e30ac64cdd8bab94e982423646de1b8559e6..1d1808edff203b19f266bbb81f70b05ee56d76ea 100644
 --- a/src/tools/genpolicy/rules.rego
 +++ b/src/tools/genpolicy/rules.rego
-@@ -85,7 +85,7 @@ CreateContainerRequest:= {"ops": ops, "allowed": true} {
+@@ -94,7 +94,7 @@ CreateContainerRequest:= {"ops": ops, "allowed": true} {
      allow_anno(p_oci, i_oci)
 
      p_storages := p_container.storages
@@ -51,20 +51,18 @@ index 8562a2946889a9c52f46d86382821638c4ac59de..bdacdcbcd92302efcd5243da904b611b
 
      p_devices := p_container.devices
      allow_devices(p_devices, i_devices)
-@@ -206,47 +206,48 @@ allow_anno_key(i_key, p_oci) {
+@@ -228,38 +228,42 @@ allow_anno_key(i_key, p_oci) {
 
- # Get the value of the "io.kubernetes.cri.sandbox-name" annotation and
+ # Get the value of the S_NAME_KEY annotation and
  # correlate it with other annotations and process fields.
 -allow_by_anno(p_oci, i_oci, p_storages, i_storages) {
 +allow_by_anno(p_container, i_oci, i_storages) {
      print("allow_by_anno 1: start")
 
-     s_name := "io.kubernetes.cri.sandbox-name"
+-    not p_oci.Annotations[S_NAME_KEY]
++    not p_container.OCI.Annotations[S_NAME_KEY]
 
--    not p_oci.Annotations[s_name]
-+    not p_container.OCI.Annotations[s_name]
-
-     i_s_name := i_oci.Annotations[s_name]
+     i_s_name := i_oci.Annotations[S_NAME_KEY]
      print("allow_by_anno 1: i_s_name =", i_s_name)
 
 -    allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, i_s_name)
@@ -76,11 +74,9 @@ index 8562a2946889a9c52f46d86382821638c4ac59de..bdacdcbcd92302efcd5243da904b611b
 +allow_by_anno(p_container, i_oci, i_storages) {
      print("allow_by_anno 2: start")
 
-     s_name := "io.kubernetes.cri.sandbox-name"
-
--    p_s_name := p_oci.Annotations[s_name]
-+    p_s_name := p_container.OCI.Annotations[s_name]
-     i_s_name := i_oci.Annotations[s_name]
+-    p_s_name := p_oci.Annotations[S_NAME_KEY]
++    p_s_name := p_container.OCI.Annotations[S_NAME_KEY]
+     i_s_name := i_oci.Annotations[S_NAME_KEY]
      print("allow_by_anno 2: i_s_name =", i_s_name, "p_s_name =", p_s_name)
 
      allow_sandbox_name(p_s_name, i_s_name)
@@ -94,21 +90,20 @@ index 8562a2946889a9c52f46d86382821638c4ac59de..bdacdcbcd92302efcd5243da904b611b
 +allow_by_sandbox_name(p_container, i_oci, i_storages, s_name) {
      print("allow_by_sandbox_name: start")
 
-     s_namespace := "io.kubernetes.cri.sandbox-namespace"
-
 +    p_oci := p_container.OCI
-     p_namespace := p_oci.Annotations[s_namespace]
-     i_namespace := i_oci.Annotations[s_namespace]
-     print("allow_by_sandbox_name: p_namespace =", p_namespace, "i_namespace =", i_namespace)
-     p_namespace == i_namespace
++    p_namespace := p_oci.Annotations[S_NAMESPACE_KEY]
+     i_namespace := i_oci.Annotations[S_NAMESPACE_KEY]
++    print("allow_by_sandbox_name: p_namespace =", p_namespace, "i_namespace =", i_namespace)
++    p_namespace == i_namespace
 
-     allow_by_container_types(p_oci, i_oci, s_name, p_namespace)
+-    allow_by_container_types(p_oci, i_oci, s_name, i_namespace)
 -    allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages)
++    allow_by_container_types(p_oci, i_oci, s_name, p_namespace)
 +    allow_by_bundle_or_sandbox_id(p_container, i_oci, i_storages)
      allow_process(p_oci, i_oci, s_name)
 
      print("allow_by_sandbox_name: true")
-@@ -552,11 +553,12 @@ allow_linux_sysctl(p_linux, i_linux) {
+@@ -565,11 +569,12 @@ allow_linux_sysctl(p_linux, i_linux) {
 
  # Check the consistency of the input "io.katacontainers.pkg.oci.bundle_path"
  # and io.kubernetes.cri.sandbox-id" values with other fields.
@@ -122,7 +117,7 @@ index 8562a2946889a9c52f46d86382821638c4ac59de..bdacdcbcd92302efcd5243da904b611b
      p_regex := p_oci.Annotations[key]
      sandbox_id := i_oci.Annotations[key]
 
-@@ -576,8 +578,7 @@ allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) {
+@@ -589,8 +594,7 @@ allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) {
          allow_mount(p_oci, i_mount, bundle_id, sandbox_id)
      }
 
@@ -132,7 +127,7 @@ index 8562a2946889a9c52f46d86382821638c4ac59de..bdacdcbcd92302efcd5243da904b611b
 
      print("allow_by_bundle_or_sandbox_id: true")
  }
-@@ -875,30 +876,109 @@ mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) {
+@@ -888,30 +892,109 @@ mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) {
  ######################################################################
  # Create container Storages
 
@@ -249,7 +244,7 @@ index 8562a2946889a9c52f46d86382821638c4ac59de..bdacdcbcd92302efcd5243da904b611b
 
  allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hashes) {
 diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs
-index c2753c0f89f28638f955903db412407cb6b90ef9..9e69126d9008f361e77086018414abc75a8cc092 100644
+index 6ce6805b299d0ea1d233fb11992b7a7065130cdb..4601b85893e1c63eaf4b68403713894001dc9ffd 100644
 --- a/src/tools/genpolicy/src/policy.rs
 +++ b/src/tools/genpolicy/src/policy.rs
 @@ -269,6 +269,9 @@ pub struct ContainerPolicy {
@@ -262,7 +257,7 @@ index c2753c0f89f28638f955903db412407cb6b90ef9..9e69126d9008f361e77086018414abc7
      /// Data compared with req.storages for CreateContainerRequest calls.
      storages: Vec<agent::Storage>,
 
-@@ -635,6 +638,7 @@ impl AgentPolicy {
+@@ -625,6 +628,7 @@ impl AgentPolicy {
                  Annotations: annotations,
                  Linux: linux,
              },

diff --git a/...by-name/kata/kata-runtime/0010-runtime-agent-mounts-Mount-configfs-into-the-contain.patch b/...by-name/kata/kata-runtime/0010-runtime-agent-mounts-Mount-configfs-into-the-contain.patch
@@ -23,7 +23,7 @@ Signed-off-by: Fabiano Fidêncio <[email protected]>
  1 file changed, 20 insertions(+)
 
 diff --git a/src/agent/rustjail/src/mount.rs b/src/agent/rustjail/src/mount.rs
-index 14e3d95608784d18c4978fa2c89d1f523335a7e3..b5f8579132f262be66f2d73baa76a73fdff13e5d 100644
+index d02aabeedc331f5b872c509887eeee9819da3deb..993739e569809c8da1b19288aca75c4bd98e1387 100644
 --- a/src/agent/rustjail/src/mount.rs
 +++ b/src/agent/rustjail/src/mount.rs
 @@ -288,6 +288,26 @@ pub fn init_rootfs(

diff --git a/...es/by-name/kata/kata-runtime/0012-genpolicy-support-mount-propagation-and-ro-mounts.patch b/...es/by-name/kata/kata-runtime/0012-genpolicy-support-mount-propagation-and-ro-mounts.patch
@@ -9,10 +9,10 @@ Subject: [PATCH] genpolicy: support mount propagation and ro-mounts
  2 files changed, 9 insertions(+), 2 deletions(-)
 
 diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
-index bdacdcbcd92302efcd5243da904b611b43a1ec93..dba71d4785fccf4717f66013a56fbbd4bff764b6 100644
+index 1d1808edff203b19f266bbb81f70b05ee56d76ea..0e6d5dadd3a69f472a37326bb34a1b05d12bb85d 100644
 --- a/src/tools/genpolicy/rules.rego
 +++ b/src/tools/genpolicy/rules.rego
-@@ -110,7 +110,8 @@ allow_create_container_input {
+@@ -119,7 +119,8 @@ allow_create_container_input {
      count(i_linux.GIDMappings) == 0
      count(i_linux.MountLabel) == 0
      count(i_linux.Resources.Devices) == 0

diff --git a/.../by-name/kata/kata-runtime/0013-tools-don-t-clean-build-root-when-generating-rootfs.patch b/.../by-name/kata/kata-runtime/0013-tools-don-t-clean-build-root-when-generating-rootfs.patch
@@ -8,10 +8,10 @@ Subject: [PATCH] tools: don't clean build root when generating rootfs
  1 file changed, 6 deletions(-)
 
 diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh
-index 04a855a0ceccf094a36c1b4a79b4dc90e9822d29..f53b524601cdff4b38f41834796856624fac812f 100755
+index 337dbafaf2e4c791f1bb15832b296279d74af4d2..5966fea09334479f1f0c26d90fb38a37be67b3a8 100755
 --- a/tools/osbuilder/rootfs-builder/rootfs.sh
 +++ b/tools/osbuilder/rootfs-builder/rootfs.sh
-@@ -401,12 +401,6 @@ build_rootfs_distro()
+@@ -405,12 +405,6 @@ build_rootfs_distro()
  		trap error_handler ERR
  	fi
 

diff --git a/...ages/by-name/kata/kata-runtime/0015-genpolicy-do-not-log-policy-annotation-in-debug.patch b/...ages/by-name/kata/kata-runtime/0015-genpolicy-do-not-log-policy-annotation-in-debug.patch
@@ -8,7 +8,7 @@ Subject: [PATCH] genpolicy: do not log policy annotation in 'debug'
  1 file changed, 37 insertions(+), 1 deletion(-)
 
 diff --git a/src/tools/genpolicy/src/obj_meta.rs b/src/tools/genpolicy/src/obj_meta.rs
-index 3da75fc0ff67068af04ea98a6dfdc6989961e17c..327ef13ad4cd6ff8f08d25228e6c108dea3f1606 100644
+index cc549b71b4683bd89107d57a7d98d6f02db82023..37d0a8397fcdddbda6acad01d6f32c94b1ab1a2f 100644
 --- a/src/tools/genpolicy/src/obj_meta.rs
 +++ b/src/tools/genpolicy/src/obj_meta.rs
 @@ -8,9 +8,10 @@
@@ -23,7 +23,7 @@ index 3da75fc0ff67068af04ea98a6dfdc6989961e17c..327ef13ad4cd6ff8f08d25228e6c108d
  pub struct ObjectMeta {
      #[serde(skip_serializing_if = "Option::is_none")]
      pub name: Option<String>,
-@@ -43,3 +44,38 @@ impl ObjectMeta {
+@@ -46,3 +47,38 @@ impl ObjectMeta {
          self.namespace.as_ref().cloned()
      }
  }

diff --git a/packages/by-name/kata/kata-runtime/0016-genpolicy-allow-non-watchable-ConfigMaps.patch b/packages/by-name/kata/kata-runtime/0016-genpolicy-allow-non-watchable-ConfigMaps.patch
@@ -21,7 +21,7 @@ Signed-off-by: Markus Rudy <[email protected]>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json
-index ef20413eacc029d4fcb0b1d2f538a13314a25670..a218a4d9c4717e4dd2abdc3fd4b0d1a6d8171661 100644
+index 1b6ab8380d16fbf71638f3965719bf3a018a3f0c..1e43545320d474ce5994514165176cd8c48db425 100644
 --- a/src/tools/genpolicy/genpolicy-settings.json
 +++ b/src/tools/genpolicy/genpolicy-settings.json
 @@ -179,7 +179,7 @@

diff --git a/packages/by-name/kata/kata-runtime/0017-genpolicy-support-guest-hooks.patch b/packages/by-name/kata/kata-runtime/0017-genpolicy-support-guest-hooks.patch
@@ -17,7 +17,7 @@ Signed-off-by: Markus Rudy <[email protected]>
  3 files changed, 20 insertions(+), 2 deletions(-)
 
 diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json
-index a218a4d9c4717e4dd2abdc3fd4b0d1a6d8171661..a9ca4960e9e6879109a4f0b50b9aebe33430e674 100644
+index 1e43545320d474ce5994514165176cd8c48db425..9b95f9f7462717d04f0b9ce685d97c0455f949da 100644
 --- a/src/tools/genpolicy/genpolicy-settings.json
 +++ b/src/tools/genpolicy/genpolicy-settings.json
 @@ -240,7 +240,8 @@
@@ -31,10 +31,10 @@ index a218a4d9c4717e4dd2abdc3fd4b0d1a6d8171661..a9ca4960e9e6879109a4f0b50b9aebe3
      "common": {
          "cpath": "/run/kata-containers",
 diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
-index dba71d4785fccf4717f66013a56fbbd4bff764b6..73adb09377a57e25ae9171a43b314ac3fc26298b 100644
+index 0e6d5dadd3a69f472a37326bb34a1b05d12bb85d..e83c35d54f273838d4b717c6c4dad03f52b1a04e 100644
 --- a/src/tools/genpolicy/rules.rego
 +++ b/src/tools/genpolicy/rules.rego
-@@ -1266,7 +1266,7 @@ CopyFileRequest {
+@@ -1282,7 +1282,7 @@ CopyFileRequest {
 
  CreateSandboxRequest {
      print("CreateSandboxRequest: input.guest_hook_path =", input.guest_hook_path)
@@ -43,7 +43,7 @@ index dba71d4785fccf4717f66013a56fbbd4bff764b6..73adb09377a57e25ae9171a43b314ac3
 
      print("CreateSandboxRequest: input.kernel_modules =", input.kernel_modules)
      count(input.kernel_modules) == 0
-@@ -1277,6 +1277,21 @@ CreateSandboxRequest {
+@@ -1293,6 +1293,21 @@ CreateSandboxRequest {
      allow_sandbox_storages(input.storages)
  }
 
@@ -66,10 +66,10 @@ index dba71d4785fccf4717f66013a56fbbd4bff764b6..73adb09377a57e25ae9171a43b314ac3
      print("ExecProcessRequest 1: input =", input)
 
 diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs
-index 9e69126d9008f361e77086018414abc75a8cc092..9f4accaca8c57620f9becd1d10d9606004be3adb 100644
+index 4601b85893e1c63eaf4b68403713894001dc9ffd..e2012bf6f2d80ffea678a38803d8e85f5369b9dc 100644
 --- a/src/tools/genpolicy/src/policy.rs
 +++ b/src/tools/genpolicy/src/policy.rs
-@@ -408,6 +408,8 @@ pub struct ClusterConfig {
+@@ -406,6 +406,8 @@ pub struct ClusterConfig {
  pub struct SandboxData {
      /// Expected value of the CreateSandboxRequest storages field.
      pub storages: Vec<agent::Storage>,