diff --git a/packages/default.nix b/packages/default.nix index 24fffd57af..f747fc34d1 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -47,7 +47,7 @@ rec { prePatch = '' install -D ${lib.getExe genpolicy} cli/assets/genpolicy install -D ${genpolicy.settings-dev}/genpolicy-settings.json cli/assets/genpolicy-settings.json - install -D ${genpolicy.rules}/genpolicy-rules.rego cli/assets/genpolicy-rules.rego + install -D ${genpolicy.rules-dev}/genpolicy-rules.rego cli/assets/genpolicy-rules.rego ''; CGO_ENABLED = 0; diff --git a/packages/genpolicy_msft.nix b/packages/genpolicy_msft.nix index 25713848ac..e7b8a48017 100644 --- a/packages/genpolicy_msft.nix +++ b/packages/genpolicy_msft.nix @@ -62,6 +62,11 @@ rustPlatform.buildRustPackage rec { recursiveHash = true; postFetch = "install -D $downloadedFile $out/genpolicy-rules.rego"; }; + + rules-dev = applyPatches { + src = rules; + patches = [ ./genpolicy_msft_rules_dev.patch ]; + }; }; meta = { diff --git a/packages/genpolicy_msft_rules_dev.patch b/packages/genpolicy_msft_rules_dev.patch new file mode 100644 index 0000000000..a1b4a68be8 --- /dev/null +++ b/packages/genpolicy_msft_rules_dev.patch @@ -0,0 +1,15 @@ +diff --git a/genpolicy-rules.rego b/genpolicy-rules.rego +old mode 100755 +new mode 100644 +index e1954e9..b11e7ea 100644 +--- a/genpolicy-rules.rego ++++ b/genpolicy-rules.rego +@@ -137,7 +137,7 @@ allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, s_name) { + p_namespace := p_oci.Annotations[s_namespace] + i_namespace := i_oci.Annotations[s_namespace] + print("allow_by_sandbox_name: p_namespace =", p_namespace, "i_namespace =", i_namespace) +- p_namespace == i_namespace ++ regex.match(concat("", ["^", p_namespace, "$"]), i_namespace) + + allow_by_container_types(p_oci, i_oci, s_name, p_namespace) + allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages)