From e86056ab467572d39e0fcdf28374df74f9f62ab0 Mon Sep 17 00:00:00 2001 From: Markus Rudy Date: Fri, 9 Feb 2024 10:06:46 +0100 Subject: [PATCH] genpolicy-msft: relax namespace check in dev The default Kata policy requires the namespace annotation to match the namespace in the original YAML (or a default value, if absent there). The security benefits of this are unclear - see upstream issue XXX. This requirement makes it unnecessarily hard to generate portable policies. This commit introduces a backwards-compatible tweak to the default rules that allows for namespace flexibility in compiled policies. Instead of a hard equality check we interpret the policy namespace as a regular expression and match the input namespace to it. Since all valid Kubernetes namespaces are RFC 1123 DNS labels [1], they can be used as literal values in regexps, so the behaviour is unchanged for regular YAML with a valid namespace or no namespace at all. To create a portable policy, one fills the namespace field with e.g. "[a-z0-9]{1,63}" before generating the policy, and removes the field afterwards. [1]: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/#namespaces-and-dns --- packages/default.nix | 2 +- packages/genpolicy_msft.nix | 5 +++++ packages/genpolicy_msft_rules_dev.patch | 15 +++++++++++++++ 3 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 packages/genpolicy_msft_rules_dev.patch diff --git a/packages/default.nix b/packages/default.nix index 24fffd57af..f747fc34d1 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -47,7 +47,7 @@ rec { prePatch = '' install -D ${lib.getExe genpolicy} cli/assets/genpolicy install -D ${genpolicy.settings-dev}/genpolicy-settings.json cli/assets/genpolicy-settings.json - install -D ${genpolicy.rules}/genpolicy-rules.rego cli/assets/genpolicy-rules.rego + install -D ${genpolicy.rules-dev}/genpolicy-rules.rego cli/assets/genpolicy-rules.rego ''; CGO_ENABLED = 0; diff --git a/packages/genpolicy_msft.nix b/packages/genpolicy_msft.nix index 25713848ac..e7b8a48017 100644 --- a/packages/genpolicy_msft.nix +++ b/packages/genpolicy_msft.nix @@ -62,6 +62,11 @@ rustPlatform.buildRustPackage rec { recursiveHash = true; postFetch = "install -D $downloadedFile $out/genpolicy-rules.rego"; }; + + rules-dev = applyPatches { + src = rules; + patches = [ ./genpolicy_msft_rules_dev.patch ]; + }; }; meta = { diff --git a/packages/genpolicy_msft_rules_dev.patch b/packages/genpolicy_msft_rules_dev.patch new file mode 100644 index 0000000000..a1b4a68be8 --- /dev/null +++ b/packages/genpolicy_msft_rules_dev.patch @@ -0,0 +1,15 @@ +diff --git a/genpolicy-rules.rego b/genpolicy-rules.rego +old mode 100755 +new mode 100644 +index e1954e9..b11e7ea 100644 +--- a/genpolicy-rules.rego ++++ b/genpolicy-rules.rego +@@ -137,7 +137,7 @@ allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, s_name) { + p_namespace := p_oci.Annotations[s_namespace] + i_namespace := i_oci.Annotations[s_namespace] + print("allow_by_sandbox_name: p_namespace =", p_namespace, "i_namespace =", i_namespace) +- p_namespace == i_namespace ++ regex.match(concat("", ["^", p_namespace, "$"]), i_namespace) + + allow_by_container_types(p_oci, i_oci, s_name, p_namespace) + allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages)