genpolicy-msft: relax namespace check in dev

The default Kata policy requires the namespace annotation to match the namespace in the original YAML (or a default value, if absent there). The security benefits of this are unclear - see upstream issue XXX. This requirement makes it unnecessarily hard to generate portable policies. This commit introduces a backwards-compatible tweak to the default rules that allows for namespace flexibility in compiled policies. Instead of a hard equality check we interpret the policy namespace as a regular expression and match the input namespace to it. Since all valid Kubernetes namespaces are RFC 1123 DNS labels [1], they can be used as literal values in regexps, so the behaviour is unchanged for regular YAML with a valid namespace or no namespace at all. To create a portable policy, one fills the namespace field with e.g. "[a-z0-9]{1,63}" before generating the policy, and removes the field afterwards. [1]: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/#namespaces-and-dns
edgelesssys · Feb 9, 2024 · e86056a · e86056a
1 parent 42bddde
commit e86056a
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 1 deletion.
diff --git a/packages/default.nix b/packages/default.nix
@@ -47,7 +47,7 @@ rec {
       prePatch = ''
         install -D ${lib.getExe genpolicy} cli/assets/genpolicy
         install -D ${genpolicy.settings-dev}/genpolicy-settings.json cli/assets/genpolicy-settings.json
-        install -D ${genpolicy.rules}/genpolicy-rules.rego cli/assets/genpolicy-rules.rego
+        install -D ${genpolicy.rules-dev}/genpolicy-rules.rego cli/assets/genpolicy-rules.rego
       '';
 
       CGO_ENABLED = 0;

diff --git a/packages/genpolicy_msft.nix b/packages/genpolicy_msft.nix
@@ -62,6 +62,11 @@ rustPlatform.buildRustPackage rec {
       recursiveHash = true;
       postFetch = "install -D $downloadedFile $out/genpolicy-rules.rego";
     };
+
+    rules-dev = applyPatches {
+      src = rules;
+      patches = [ ./genpolicy_msft_rules_dev.patch ];
+    };
   };
 
   meta = {

diff --git a/packages/genpolicy_msft_rules_dev.patch b/packages/genpolicy_msft_rules_dev.patch
@@ -0,0 +1,15 @@
+diff --git a/genpolicy-rules.rego b/genpolicy-rules.rego
+old mode 100755
+new mode 100644
+index e1954e9..b11e7ea 100644
+--- a/genpolicy-rules.rego
++++ b/genpolicy-rules.rego
+@@ -137,7 +137,7 @@ allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, s_name) {
+     p_namespace := p_oci.Annotations[s_namespace]
+     i_namespace := i_oci.Annotations[s_namespace]
+     print("allow_by_sandbox_name: p_namespace =", p_namespace, "i_namespace =", i_namespace)
+-    p_namespace == i_namespace
++    regex.match(concat("", ["^", p_namespace, "$"]), i_namespace)
+
+     allow_by_container_types(p_oci, i_oci, s_name, p_namespace)
+     allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages)