From 439a6ba43cb78a80e450d7bcc814b7f90627d333 Mon Sep 17 00:00:00 2001 From: Paul Meyer <49727155+katexochen@users.noreply.github.com> Date: Wed, 4 Sep 2024 14:48:16 +0200 Subject: [PATCH 1/4] kata.kata-runtime: genpolicy patches for secure guest-pull Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> --- packages/by-name/kata/genpolicy/package.nix | 2 + ...ass-the-firwmare-using-bios-with-SNP.patch | 6 +- ...l-that-most-closely-matches-the-host.patch | 6 +- ...e-agent-verify-the-agent-policy-hash.patch | 6 +- ...llow-specifying-nydus-overlayfs-bina.patch | 6 +- ...cy-deny-UpdateEphemeralMountsRequest.patch | 104 + ...icy-validate-create-sandbox-storages.patch | 147 ++ .../0007-genpolicy-enable-sysctl-checks.patch | 223 ++ ...genpolicy-read-bundle-id-from-rootfs.patch | 72 + ...check-contrast-specific-layer-src-pr.patch | 27 + ...-genpolicy-settings-bump-OCI-version.patch | 33 + ...gs-change-cpath-for-Nydus-guest-pull.patch | 27 + ...012-genpolicy-allow-image_guest_pull.patch | 2347 +++++++++++++++++ .../by-name/kata/kata-runtime/package.nix | 32 + 14 files changed, 3026 insertions(+), 12 deletions(-) create mode 100644 packages/by-name/kata/kata-runtime/0005-genpolicy-deny-UpdateEphemeralMountsRequest.patch create mode 100644 packages/by-name/kata/kata-runtime/0006-genpolicy-validate-create-sandbox-storages.patch create mode 100644 packages/by-name/kata/kata-runtime/0007-genpolicy-enable-sysctl-checks.patch create mode 100644 packages/by-name/kata/kata-runtime/0008-genpolicy-read-bundle-id-from-rootfs.patch create mode 100644 packages/by-name/kata/kata-runtime/0009-genpolicy-regex-check-contrast-specific-layer-src-pr.patch create mode 100644 packages/by-name/kata/kata-runtime/0010-genpolicy-settings-bump-OCI-version.patch create mode 100644 packages/by-name/kata/kata-runtime/0011-genpolicy-settings-change-cpath-for-Nydus-guest-pull.patch create mode 100644 packages/by-name/kata/kata-runtime/0012-genpolicy-allow-image_guest_pull.patch diff --git a/packages/by-name/kata/genpolicy/package.nix b/packages/by-name/kata/genpolicy/package.nix index c850b7d0f7..03d62041a1 100644 --- a/packages/by-name/kata/genpolicy/package.nix +++ b/packages/by-name/kata/genpolicy/package.nix @@ -55,6 +55,8 @@ rustPlatform.buildRustPackage rec { # these want internet access, disable them "--skip=test_copyfile" "--skip=test_create_sandbox" + "--skip=test_create_container_guest_pull" + "--skip=test_create_container_process" ]; passthru = { diff --git a/packages/by-name/kata/kata-runtime/0001-govmm-Directly-pass-the-firwmare-using-bios-with-SNP.patch b/packages/by-name/kata/kata-runtime/0001-govmm-Directly-pass-the-firwmare-using-bios-with-SNP.patch index d8490a14c1..4499b12728 100644 --- a/packages/by-name/kata/kata-runtime/0001-govmm-Directly-pass-the-firwmare-using-bios-with-SNP.patch +++ b/packages/by-name/kata/kata-runtime/0001-govmm-Directly-pass-the-firwmare-using-bios-with-SNP.patch @@ -1,7 +1,7 @@ -From c7462075ed2bca6a56da5f246dbaddf128073eba Mon Sep 17 00:00:00 2001 +From 786d23a72425fb55d1ba043f1a64026abea266e1 Mon Sep 17 00:00:00 2001 From: Tom Dohrmann Date: Fri, 5 Jul 2024 08:43:13 +0000 -Subject: [PATCH 1/4] govmm: Directly pass the firwmare using -bios with SNP +Subject: [PATCH 01/12] govmm: Directly pass the firwmare using -bios with SNP 3e158001993cc2356d6ac084e6c82714210c9f24, but for SNP. --- @@ -24,5 +24,5 @@ index 47322c803..6b2b6b02d 100644 objectParams = append(objectParams, string(object.Type)) objectParams = append(objectParams, fmt.Sprintf("id=%s", object.ID)) -- -2.45.2 +2.46.0 diff --git a/packages/by-name/kata/kata-runtime/0002-emulate-CPU-model-that-most-closely-matches-the-host.patch b/packages/by-name/kata/kata-runtime/0002-emulate-CPU-model-that-most-closely-matches-the-host.patch index cb8c740d26..987eae5df1 100644 --- a/packages/by-name/kata/kata-runtime/0002-emulate-CPU-model-that-most-closely-matches-the-host.patch +++ b/packages/by-name/kata/kata-runtime/0002-emulate-CPU-model-that-most-closely-matches-the-host.patch @@ -1,7 +1,7 @@ -From 1b310a680a6f8920d353db2baa0e112c4f24d4d7 Mon Sep 17 00:00:00 2001 +From 1831c429d985b5f17a76e0943d345b0f87707100 Mon Sep 17 00:00:00 2001 From: Tom Dohrmann Date: Mon, 8 Jul 2024 07:35:54 +0000 -Subject: [PATCH 2/4] emulate CPU model that most closely matches the host +Subject: [PATCH 02/12] emulate CPU model that most closely matches the host QEMU's CPU model 'host' still doesn't support SNP, but by using the correct model, the guest is able to figure out the correct CPU model @@ -36,5 +36,5 @@ index 1d1be1711..6ebee26ce 100644 } -- -2.45.2 +2.46.0 diff --git a/packages/by-name/kata/kata-runtime/0003-runtime-agent-verify-the-agent-policy-hash.patch b/packages/by-name/kata/kata-runtime/0003-runtime-agent-verify-the-agent-policy-hash.patch index e1f4cbb1e8..68a8dfc202 100644 --- a/packages/by-name/kata/kata-runtime/0003-runtime-agent-verify-the-agent-policy-hash.patch +++ b/packages/by-name/kata/kata-runtime/0003-runtime-agent-verify-the-agent-policy-hash.patch @@ -1,7 +1,7 @@ -From 90ac78311def7100de26d543d862c56561526f7f Mon Sep 17 00:00:00 2001 +From 4aa73d29ed5300bb530483e29c03c7cd4cb2f342 Mon Sep 17 00:00:00 2001 From: Tom Dohrmann Date: Mon, 8 Jul 2024 07:51:20 +0000 -Subject: [PATCH 3/4] runtime: agent: verify the agent policy hash +Subject: [PATCH 03/12] runtime: agent: verify the agent policy hash For TEE Guests that support the inclusion of immutable Host owned data in their configuration (SNP HostData and TDX MRCONFIGID): @@ -1287,5 +1287,5 @@ index b58daccaa..af35af12e 100644 spec := s.GetPatchedOCISpec() if spec != nil && spec.Process.SelinuxLabel != "" { -- -2.45.2 +2.46.0 diff --git a/packages/by-name/kata/kata-runtime/0004-virtcontainers-allow-specifying-nydus-overlayfs-bina.patch b/packages/by-name/kata/kata-runtime/0004-virtcontainers-allow-specifying-nydus-overlayfs-bina.patch index 2d4ca26703..14e4fe2a0a 100644 --- a/packages/by-name/kata/kata-runtime/0004-virtcontainers-allow-specifying-nydus-overlayfs-bina.patch +++ b/packages/by-name/kata/kata-runtime/0004-virtcontainers-allow-specifying-nydus-overlayfs-bina.patch @@ -1,7 +1,7 @@ -From a7517afc0c5bdc529725c4841ef917190e30696c Mon Sep 17 00:00:00 2001 +From 01134399f6e2f8a1a106dfd51fbeb3dcd0478442 Mon Sep 17 00:00:00 2001 From: Paul Meyer <49727155+katexochen@users.noreply.github.com> Date: Fri, 9 Aug 2024 11:06:04 +0200 -Subject: [PATCH 4/4] virtcontainers: allow specifying nydus-overlayfs binary +Subject: [PATCH 04/12] virtcontainers: allow specifying nydus-overlayfs binary by path ...or by using a binary with additional suffix. @@ -179,5 +179,5 @@ index be76a93a6..a809bb018 100644 } else { errors = merr.Append(errors, bindUnmountContainerRootfs(ctx, sharedDir, c.id)) -- -2.45.2 +2.46.0 diff --git a/packages/by-name/kata/kata-runtime/0005-genpolicy-deny-UpdateEphemeralMountsRequest.patch b/packages/by-name/kata/kata-runtime/0005-genpolicy-deny-UpdateEphemeralMountsRequest.patch new file mode 100644 index 0000000000..e5193c4cfb --- /dev/null +++ b/packages/by-name/kata/kata-runtime/0005-genpolicy-deny-UpdateEphemeralMountsRequest.patch @@ -0,0 +1,104 @@ +From 3c4c4d9b8dfeec7acf57685672b2da2911331117 Mon Sep 17 00:00:00 2001 +From: Dan Mihai +Date: Tue, 19 Dec 2023 09:54:55 -0800 +Subject: [PATCH 05/12] genpolicy: deny UpdateEphemeralMountsRequest + +* genpolicy: deny UpdateEphemeralMountsRequest + +Deny UpdateEphemeralMountsRequest by default, because paths to +critical Guest components can be redirected using such request. + +Signed-off-by: Dan Mihai +--- + src/tools/genpolicy/genpolicy-settings.json | 1 + + src/tools/genpolicy/rules.rego | 6 +++++- + src/tools/genpolicy/src/policy.rs | 3 +++ + tests/integration/kubernetes/tests_common.sh | 14 ++++++++++++++ + 4 files changed, 23 insertions(+), 1 deletion(-) + +diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json +index 95972de77..b8b321f36 100644 +--- a/src/tools/genpolicy/genpolicy-settings.json ++++ b/src/tools/genpolicy/genpolicy-settings.json +@@ -316,6 +316,7 @@ + }, + "CloseStdinRequest": false, + "ReadStreamRequest": false, ++ "UpdateEphemeralMountsRequest": false, + "WriteStreamRequest": false + } + } +\ No newline at end of file +diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego +index a781b4e06..9f463dc0b 100644 +--- a/src/tools/genpolicy/rules.rego ++++ b/src/tools/genpolicy/rules.rego +@@ -39,7 +39,7 @@ default StatsContainerRequest := true + default StopTracingRequest := false + default TtyWinResizeRequest := true + default UpdateContainerRequest := false +-default UpdateEphemeralMountsRequest := true ++default UpdateEphemeralMountsRequest := false + default UpdateInterfaceRequest := true + default UpdateRoutesRequest := true + default WaitProcessRequest := true +@@ -1169,6 +1169,10 @@ ReadStreamRequest { + policy_data.request_defaults.ReadStreamRequest == true + } + ++UpdateEphemeralMountsRequest { ++ policy_data.request_defaults.UpdateEphemeralMountsRequest == true ++} ++ + WriteStreamRequest { + policy_data.request_defaults.WriteStreamRequest == true + } +diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs +index 026010ea2..9402e87ed 100644 +--- a/src/tools/genpolicy/src/policy.rs ++++ b/src/tools/genpolicy/src/policy.rs +@@ -344,6 +344,9 @@ pub struct RequestDefaults { + /// Allow Host reading from Guest containers stdout and stderr. + pub ReadStreamRequest: bool, + ++ /// Allow Host to update Guest mounts. ++ pub UpdateEphemeralMountsRequest: bool, ++ + /// Allow Host writing to Guest containers stdin. + pub WriteStreamRequest: bool, + } +diff --git a/tests/integration/kubernetes/tests_common.sh b/tests/integration/kubernetes/tests_common.sh +index c88b4adec..192bc637b 100644 +--- a/tests/integration/kubernetes/tests_common.sh ++++ b/tests/integration/kubernetes/tests_common.sh +@@ -153,6 +153,14 @@ adapt_common_policy_settings_for_sev() { + jq '.kata_config.oci_version = "1.1.0-rc.1" | .common.cpath = "/run/kata-containers" | .volumes.configMap.mount_point = "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-"' "${settings_dir}/genpolicy-settings.json" > temp.json && sudo mv temp.json "${settings_dir}/genpolicy-settings.json" + } + ++# adapt common policy settings for CBL-Mariner https://github.com/kata-containers/kata-containers/issues/10189 ++adapt_common_policy_settings_for_cbl_mariner() { ++ local settings_dir=$1 ++ ++ info "Adapting common policy settings for CBL-Mariner" ++ jq '.request_defaults.UpdateEphemeralMountsRequest = true' "${settings_dir}/genpolicy-settings.json" > temp.json && sudo mv temp.json "${settings_dir}/genpolicy-settings.json" ++} ++ + # adapt common policy settings for various platforms + adapt_common_policy_settings() { + +@@ -166,6 +174,12 @@ adapt_common_policy_settings() { + adapt_common_policy_settings_for_sev "${settings_dir}" + ;; + esac ++ ++ case "${KATA_HOST_OS}" in ++ "cbl-mariner") ++ adapt_common_policy_settings_for_cbl_mariner "${settings_dir}" ++ ;; ++ esac + } + + # If auto-generated policy testing is enabled, make a copy of the genpolicy settings, +-- +2.46.0 + diff --git a/packages/by-name/kata/kata-runtime/0006-genpolicy-validate-create-sandbox-storages.patch b/packages/by-name/kata/kata-runtime/0006-genpolicy-validate-create-sandbox-storages.patch new file mode 100644 index 0000000000..9e944d9a2d --- /dev/null +++ b/packages/by-name/kata/kata-runtime/0006-genpolicy-validate-create-sandbox-storages.patch @@ -0,0 +1,147 @@ +From a0ed8e5860afccf3c336d294c20e222fd1356b4d Mon Sep 17 00:00:00 2001 +From: Dan Mihai +Date: Thu, 4 Jan 2024 22:28:24 +0000 +Subject: [PATCH 06/12] genpolicy: validate create sandbox storages + +Reject any unexpected values from the CreateSandboxRequest storages +field. + +Signed-off-by: Dan Mihai +--- + src/tools/genpolicy/genpolicy-settings.json | 19 ++++++++++++++++ + src/tools/genpolicy/rules.rego | 25 ++++++++++++++++++++- + src/tools/genpolicy/src/policy.rs | 11 +++++++++ + src/tools/genpolicy/src/settings.rs | 1 + + 4 files changed, 55 insertions(+), 1 deletion(-) + +diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json +index b8b321f36..fe1625bac 100644 +--- a/src/tools/genpolicy/genpolicy-settings.json ++++ b/src/tools/genpolicy/genpolicy-settings.json +@@ -213,6 +213,25 @@ + "/var/run/secrets/kubernetes.io/serviceaccount", + "/var/run/secrets/azure/tokens" + ], ++ "sandbox": { ++ "storages": [ ++ { ++ "driver": "ephemeral", ++ "driver_options": [], ++ "source": "shm", ++ "fstype": "tmpfs", ++ "options": [ ++ "noexec", ++ "nosuid", ++ "nodev", ++ "mode=1777", ++ "size=67108864" ++ ], ++ "mount_point": "/run/kata-containers/sandbox/shm", ++ "fs_group": null ++ } ++ ] ++ }, + "common": { + "cpath": "/run/kata-containers/shared/containers", + "mount_source_cpath": "/run/kata-containers/shared/containers", +diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego +index 9f463dc0b..de128476d 100644 +--- a/src/tools/genpolicy/rules.rego ++++ b/src/tools/genpolicy/rules.rego +@@ -824,7 +824,7 @@ mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) { + } + + ###################################################################### +-# Storages ++# Create container Storages + + allow_storages(p_storages, i_storages, bundle_id, sandbox_id) { + p_count := count(p_storages) +@@ -1097,6 +1097,27 @@ check_directory_traversal(i_path) { + not regex.match("(^|/)..($|/)", i_path) + } + ++allow_sandbox_storages(i_storages) { ++ print("allow_sandbox_storages: i_storages =", i_storages) ++ ++ p_storages := policy_data.sandbox.storages ++ every i_storage in i_storages { ++ allow_sandbox_storage(p_storages, i_storage) ++ } ++ ++ print("allow_sandbox_storages: true") ++} ++ ++allow_sandbox_storage(p_storages, i_storage) { ++ print("allow_sandbox_storage: i_storage =", i_storage) ++ ++ some p_storage in p_storages ++ print("allow_sandbox_storage: p_storage =", p_storage) ++ i_storage == p_storage ++ ++ print("allow_sandbox_storage: true") ++} ++ + CopyFileRequest { + print("CopyFileRequest: input.path =", input.path) + +@@ -1123,6 +1144,8 @@ CreateSandboxRequest { + i_pidns := input.sandbox_pidns + print("CreateSandboxRequest: i_pidns =", i_pidns) + i_pidns == false ++ ++ allow_sandbox_storages(input.storages) + } + + ExecProcessRequest { +diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs +index 9402e87ed..973643e1f 100644 +--- a/src/tools/genpolicy/src/policy.rs ++++ b/src/tools/genpolicy/src/policy.rs +@@ -58,6 +58,9 @@ pub struct PolicyData { + /// Settings read from genpolicy-settings.json. + pub common: CommonData, + ++ /// Sandbox settings read from genpolicy-settings.json. ++ pub sandbox: SandboxData, ++ + /// Settings read from genpolicy-settings.json, related directly to each + /// kata agent endpoint, that get added to the output policy. + pub request_defaults: RequestDefaults, +@@ -391,6 +394,13 @@ pub struct ClusterConfig { + pub pause_container_image: String, + } + ++/// Struct used to read data from the settings file and copy that data into the policy. ++#[derive(Clone, Debug, Serialize, Deserialize)] ++pub struct SandboxData { ++ /// Expected value of the CreateSandboxRequest storages field. ++ pub storages: Vec, ++} ++ + impl AgentPolicy { + pub async fn from_files(config: &utils::Config) -> Result { + let mut config_maps = Vec::new(); +@@ -498,6 +508,7 @@ impl AgentPolicy { + containers: policy_containers, + request_defaults: self.config.settings.request_defaults.clone(), + common: self.config.settings.common.clone(), ++ sandbox: self.config.settings.sandbox.clone(), + }; + + let json_data = serde_json::to_string_pretty(&policy_data).unwrap(); +diff --git a/src/tools/genpolicy/src/settings.rs b/src/tools/genpolicy/src/settings.rs +index 949f6ad27..b7f0515d1 100644 +--- a/src/tools/genpolicy/src/settings.rs ++++ b/src/tools/genpolicy/src/settings.rs +@@ -24,6 +24,7 @@ pub struct Settings { + pub request_defaults: policy::RequestDefaults, + pub common: policy::CommonData, + pub mount_destinations: Vec, ++ pub sandbox: policy::SandboxData, + } + + /// Volume settings loaded from genpolicy-settings.json. +-- +2.46.0 + diff --git a/packages/by-name/kata/kata-runtime/0007-genpolicy-enable-sysctl-checks.patch b/packages/by-name/kata/kata-runtime/0007-genpolicy-enable-sysctl-checks.patch new file mode 100644 index 0000000000..b871756d21 --- /dev/null +++ b/packages/by-name/kata/kata-runtime/0007-genpolicy-enable-sysctl-checks.patch @@ -0,0 +1,223 @@ +From 859198b5c828aa390dfdf7386b341b86cdd5d060 Mon Sep 17 00:00:00 2001 +From: Markus Rudy +Date: Wed, 24 Jul 2024 09:48:48 +0200 +Subject: [PATCH 07/12] genpolicy: enable sysctl checks + +Sysctls may be added to a container by the Kubernetes pod definition or +by containerd configuration. This commit adds support for the +corresponding PodSpec field and an option to specify +environment-dependent sysctls in the settings file. +--- + src/tools/genpolicy/genpolicy-settings.json | 10 ++++++++++ + src/tools/genpolicy/rules.rego | 19 ++++++++++++++++++- + src/tools/genpolicy/src/containerd.rs | 4 ++++ + src/tools/genpolicy/src/pod.rs | 20 ++++++++++++++++++++ + src/tools/genpolicy/src/policy.rs | 10 ++++++++++ + 5 files changed, 62 insertions(+), 1 deletion(-) + +diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json +index fe1625bac..e50d5e545 100644 +--- a/src/tools/genpolicy/genpolicy-settings.json ++++ b/src/tools/genpolicy/genpolicy-settings.json +@@ -39,6 +39,10 @@ + ] + }, + "Linux": { ++ "Sysctl": { ++ "net.ipv4.ip_unprivileged_port_start": "0", ++ "net.ipv4.ping_group_range": "0 2147483647" ++ }, + "MaskedPaths": [ + "/proc/acpi", + "/proc/asound", +@@ -132,6 +136,12 @@ + "io.kubernetes.cri.sandbox-id": "^[a-z0-9]{64}$", + "io.katacontainers.pkg.oci.container_type": "pod_container", + "io.kubernetes.cri.container-type": "container" ++ }, ++ "Linux": { ++ "Sysctl": { ++ "net.ipv4.ip_unprivileged_port_start": "0", ++ "net.ipv4.ping_group_range": "0 2147483647" ++ } + } + }, + "volumes": { +diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego +index de128476d..fe80ed11f 100644 +--- a/src/tools/genpolicy/rules.rego ++++ b/src/tools/genpolicy/rules.rego +@@ -112,7 +112,6 @@ allow_create_container_input { + is_null(i_linux.Resources.Network) + is_null(i_linux.Resources.Pids) + is_null(i_linux.Seccomp) +- i_linux.Sysctl == {} + + i_process := i_oci.Process + count(i_process.SelinuxLabel) == 0 +@@ -389,6 +388,7 @@ allow_linux(p_oci, i_oci) { + allow_masked_paths(p_oci, i_oci) + allow_readonly_paths(p_oci, i_oci) + allow_linux_devices(p_oci.Linux.Devices, i_oci.Linux.Devices) ++ allow_linux_sysctl(p_oci.Linux, i_oci.Linux) + + print("allow_linux: true") + } +@@ -487,6 +487,23 @@ allow_linux_devices(p_devices, i_devices) { + print("allow_linux_devices: true") + } + ++allow_linux_sysctl(p_linux, i_linux) { ++ print("allow_linux_sysctl 1: start") ++ not i_linux["Sysctl"] ++ print("allow_linux_sysctl 1: true") ++} ++ ++allow_linux_sysctl(p_linux, i_linux) { ++ print("allow_linux_sysctl 2: start") ++ p_sysctl := p_linux.Sysctl ++ i_sysctl := i_linux.Sysctl ++ every i_name, i_val in i_sysctl { ++ print("allow_linux_sysctl: i_name =", i_name, "i_val =", i_val) ++ p_sysctl[i_name] == i_val ++ } ++ print("allow_linux_sysctl 2: true") ++} ++ + # Check the consistency of the input "io.katacontainers.pkg.oci.bundle_path" + # and io.kubernetes.cri.sandbox-id" values with other fields. + allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) { +diff --git a/src/tools/genpolicy/src/containerd.rs b/src/tools/genpolicy/src/containerd.rs +index 075fced5b..2922ea0ab 100644 +--- a/src/tools/genpolicy/src/containerd.rs ++++ b/src/tools/genpolicy/src/containerd.rs +@@ -3,6 +3,8 @@ + // SPDX-License-Identifier: Apache-2.0 + // + ++use std::collections::HashMap; ++ + use crate::policy; + + // Default process field from containerd. +@@ -153,6 +155,7 @@ pub fn get_linux(privileged_container: bool) -> policy::KataLinux { + "/proc/sysrq-trigger".to_string(), + ], + Devices: vec![], ++ Sysctl: HashMap::new(), + } + } else { + policy::KataLinux { +@@ -160,6 +163,7 @@ pub fn get_linux(privileged_container: bool) -> policy::KataLinux { + MaskedPaths: vec![], + ReadonlyPaths: vec![], + Devices: vec![], ++ Sysctl: HashMap::new(), + } + } + } +diff --git a/src/tools/genpolicy/src/pod.rs b/src/tools/genpolicy/src/pod.rs +index 4fda02916..25a320f4a 100644 +--- a/src/tools/genpolicy/src/pod.rs ++++ b/src/tools/genpolicy/src/pod.rs +@@ -21,6 +21,7 @@ use log::{debug, warn}; + use protocols::agent; + use serde::{Deserialize, Serialize}; + use std::collections::BTreeMap; ++use std::collections::HashMap; + + /// See Reference / Kubernetes API / Workload Resources / Pod. + #[derive(Clone, Debug, Serialize, Deserialize)] +@@ -295,6 +296,9 @@ struct SecurityContext { + + #[serde(skip_serializing_if = "Option::is_none")] + seccompProfile: Option, ++ ++ #[serde(skip_serializing_if = "Option::is_none")] ++ sysctls: Option>, + } + + /// See Reference / Kubernetes API / Workload Resources / Pod. +@@ -307,6 +311,13 @@ struct SeccompProfile { + localhostProfile: Option, + } + ++/// See Reference / Kubernetes API / Workload Resources / Pod. ++#[derive(Clone, Debug, Serialize, Deserialize)] ++struct Sysctl { ++ name: String, ++ value: String, ++} ++ + /// See Reference / Kubernetes API / Workload Resources / Pod. + #[derive(Clone, Debug, Serialize, Deserialize)] + struct PodSecurityContext { +@@ -696,6 +707,14 @@ impl Container { + + commands + } ++ ++ pub fn apply_sysctls(&self, sysctls: &mut HashMap) { ++ if let Some(securityContext) = &self.securityContext { ++ if let Some(container_sysctls) = &securityContext.sysctls { ++ sysctls.extend(container_sysctls.iter().map(|el| (el.name.clone(), el.value.clone()))); ++ } ++ } ++ } + } + + impl EnvFromSource { +@@ -996,6 +1015,7 @@ pub async fn add_pause_container(containers: &mut Vec, config: &Confi + capabilities: None, + runAsUser: None, + seccompProfile: None, ++ sysctls: None, + }), + ..Default::default() + }; +diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs +index 973643e1f..adbdf97f3 100644 +--- a/src/tools/genpolicy/src/policy.rs ++++ b/src/tools/genpolicy/src/policy.rs +@@ -27,6 +27,7 @@ use serde_yaml::Value; + use sha2::{Digest, Sha256}; + use std::boxed; + use std::collections::BTreeMap; ++use std::collections::HashMap; + use std::fs::read_to_string; + use std::io::Write; + +@@ -180,14 +181,20 @@ pub struct KataLinux { + pub Namespaces: Vec, + + /// MaskedPaths masks over the provided paths inside the container. ++ #[serde(default)] + pub MaskedPaths: Vec, + + /// ReadonlyPaths sets the provided paths as RO inside the container. ++ #[serde(default)] + pub ReadonlyPaths: Vec, + + /// Devices contains devices to be created inside the container. + #[serde(default)] + pub Devices: Vec, ++ ++ /// Sysctls contains sysctls to be applied inside the container. ++ #[serde(default, skip_serializing_if = "HashMap::is_empty")] ++ pub Sysctl: HashMap, + } + + /// OCI container LinuxNamespace struct. This struct is similar to the LinuxNamespace +@@ -616,6 +623,9 @@ impl AgentPolicy { + linux.Devices.push(default_device.clone()) + } + ++ linux.Sysctl.extend(c_settings.Linux.Sysctl.clone()); ++ yaml_container.apply_sysctls(&mut linux.Sysctl); ++ + ContainerPolicy { + OCI: KataSpec { + Version: self.config.settings.kata_config.oci_version.clone(), +-- +2.46.0 + diff --git a/packages/by-name/kata/kata-runtime/0008-genpolicy-read-bundle-id-from-rootfs.patch b/packages/by-name/kata/kata-runtime/0008-genpolicy-read-bundle-id-from-rootfs.patch new file mode 100644 index 0000000000..213cbc98fc --- /dev/null +++ b/packages/by-name/kata/kata-runtime/0008-genpolicy-read-bundle-id-from-rootfs.patch @@ -0,0 +1,72 @@ +From b707725567f98ee08550b372e7a180ea6be05a11 Mon Sep 17 00:00:00 2001 +From: Markus Rudy +Date: Wed, 24 Jul 2024 09:51:57 +0200 +Subject: [PATCH 08/12] genpolicy: read bundle-id from rootfs + +The host path of bundles is not portable and could be literally anything +depending on containerd configuration, so we can't rely on a specific +prefix when deriving the bundle-id. Instead, we derive the bundle-id +from the target root path in the guest. + +NOTE: fixes https://github.com/kata-containers/kata-containers/issues/10065 +--- + src/tools/genpolicy/rules.rego | 29 ++++++++--------------------- + 1 file changed, 8 insertions(+), 21 deletions(-) + +diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego +index fe80ed11f..7cd3d4202 100644 +--- a/src/tools/genpolicy/rules.rego ++++ b/src/tools/genpolicy/rules.rego +@@ -509,9 +509,6 @@ allow_linux_sysctl(p_linux, i_linux) { + allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) { + print("allow_by_bundle_or_sandbox_id: start") + +- bundle_path := i_oci.Annotations["io.katacontainers.pkg.oci.bundle_path"] +- bundle_id := replace(bundle_path, "/run/containerd/io.containerd.runtime.v2.task/k8s.io/", "") +- + key := "io.kubernetes.cri.sandbox-id" + + p_regex := p_oci.Annotations[key] +@@ -520,7 +517,14 @@ allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) { + print("allow_by_bundle_or_sandbox_id: sandbox_id =", sandbox_id, "regex =", p_regex) + regex.match(p_regex, sandbox_id) + +- allow_root_path(p_oci, i_oci, bundle_id) ++ i_root := i_oci.Root.Path ++ p_root_pattern1 := p_oci.Root.Path ++ p_root_pattern2 := replace(p_root_pattern1, "$(cpath)", policy_data.common.cpath) ++ p_root_pattern3 := replace(p_root_pattern2, "$(bundle-id)", "([0-9a-f]{64})") ++ print("allow_by_bundle_or_sandbox_id: i_root =", i_root, "regex =", p_root_pattern3) ++ ++ # Verify that the root path matches the substituted pattern and extract the bundle-id. ++ bundle_id := regex.find_all_string_submatch_n(p_root_pattern3, i_root, 1)[0][1] + + every i_mount in input.OCI.Mounts { + allow_mount(p_oci, i_mount, bundle_id, sandbox_id) +@@ -772,23 +776,6 @@ is_ip_other_byte(component) { + number <= 255 + } + +-# OCI root.Path +-allow_root_path(p_oci, i_oci, bundle_id) { +- i_path := i_oci.Root.Path +- p_path1 := p_oci.Root.Path +- print("allow_root_path: i_path =", i_path, "p_path1 =", p_path1) +- +- p_path2 := replace(p_path1, "$(cpath)", policy_data.common.cpath) +- print("allow_root_path: p_path2 =", p_path2) +- +- p_path3 := replace(p_path2, "$(bundle-id)", bundle_id) +- print("allow_root_path: p_path3 =", p_path3) +- +- p_path3 == i_path +- +- print("allow_root_path: true") +-} +- + # device mounts + allow_mount(p_oci, i_mount, bundle_id, sandbox_id) { + print("allow_mount: i_mount =", i_mount) +-- +2.46.0 + diff --git a/packages/by-name/kata/kata-runtime/0009-genpolicy-regex-check-contrast-specific-layer-src-pr.patch b/packages/by-name/kata/kata-runtime/0009-genpolicy-regex-check-contrast-specific-layer-src-pr.patch new file mode 100644 index 0000000000..b4d12158f7 --- /dev/null +++ b/packages/by-name/kata/kata-runtime/0009-genpolicy-regex-check-contrast-specific-layer-src-pr.patch @@ -0,0 +1,27 @@ +From c4cb5d00d2372285283f26027e91354bd8e45bad Mon Sep 17 00:00:00 2001 +From: Paul Meyer <49727155+katexochen@users.noreply.github.com> +Date: Thu, 11 Jul 2024 12:05:00 +0200 +Subject: [PATCH 09/12] genpolicy: regex check contrast specific + layer-src-prefix + +Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> +--- + src/tools/genpolicy/rules.rego | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego +index 7cd3d4202..768d126f5 100644 +--- a/src/tools/genpolicy/rules.rego ++++ b/src/tools/genpolicy/rules.rego +@@ -906,7 +906,7 @@ allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) { + i_count == p_count + 3 + + print("allow_storage_options 2: i_storage.options[0] =", i_storage.options[0]) +- i_storage.options[0] == "io.katacontainers.fs-opt.layer-src-prefix=/var/lib/containerd/io.containerd.snapshotter.v1.tardev/layers" ++ regex.match(`io\.katacontainers\.fs-opt\.layer-src-prefix=/var/lib/containerd/io\.containerd\.snapshotter\.v1\.tardev-contrast-cc-(aks|k3s|rke2)-(qemu|clh)-(snp|tdx)-[a-f0-9]{8}/layers`, i_storage.options[0]) + + print("allow_storage_options 2: i_storage.options[i_count - 2] =", i_storage.options[i_count - 2]) + i_storage.options[i_count - 2] == "io.katacontainers.fs-opt.overlay-rw" +-- +2.46.0 + diff --git a/packages/by-name/kata/kata-runtime/0010-genpolicy-settings-bump-OCI-version.patch b/packages/by-name/kata/kata-runtime/0010-genpolicy-settings-bump-OCI-version.patch new file mode 100644 index 0000000000..e5085eacc4 --- /dev/null +++ b/packages/by-name/kata/kata-runtime/0010-genpolicy-settings-bump-OCI-version.patch @@ -0,0 +1,33 @@ +From 649a0721c6dcce35912c18499e8027663b6470e3 Mon Sep 17 00:00:00 2001 +From: Markus Rudy +Date: Wed, 24 Jul 2024 11:16:37 +0200 +Subject: [PATCH 10/12] genpolicy-settings: bump OCI version + +Kata hard-codes OCI version 1.1.0, but latest K3S has 1.2.0. +--- + src/tools/genpolicy/genpolicy-settings.json | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json +index e50d5e545..fcafa46cc 100644 +--- a/src/tools/genpolicy/genpolicy-settings.json ++++ b/src/tools/genpolicy/genpolicy-settings.json +@@ -312,7 +312,7 @@ + }, + "kata_config": { + "confidential_guest": false, +- "oci_version": "1.1.0" ++ "oci_version": "1.2.0" + }, + "cluster_config": { + "default_namespace": "default", +@@ -348,4 +348,4 @@ + "UpdateEphemeralMountsRequest": false, + "WriteStreamRequest": false + } +-} +\ No newline at end of file ++} +-- +2.46.0 + diff --git a/packages/by-name/kata/kata-runtime/0011-genpolicy-settings-change-cpath-for-Nydus-guest-pull.patch b/packages/by-name/kata/kata-runtime/0011-genpolicy-settings-change-cpath-for-Nydus-guest-pull.patch new file mode 100644 index 0000000000..85e4d89c57 --- /dev/null +++ b/packages/by-name/kata/kata-runtime/0011-genpolicy-settings-change-cpath-for-Nydus-guest-pull.patch @@ -0,0 +1,27 @@ +From 6da7c9123b5d4695b617ab8a137265da0c0bb72f Mon Sep 17 00:00:00 2001 +From: Markus Rudy +Date: Mon, 12 Aug 2024 14:18:43 +0200 +Subject: [PATCH 11/12] genpolicy-settings: change cpath for Nydus guest pull + +Nydus uses a different base dir for container rootfs, see +https://github.com/kata-containers/kata-containers/blob/775f6bd/tests/integration/kubernetes/tests_common.sh#L139 +--- + src/tools/genpolicy/genpolicy-settings.json | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json +index fcafa46cc..4e9f6481d 100644 +--- a/src/tools/genpolicy/genpolicy-settings.json ++++ b/src/tools/genpolicy/genpolicy-settings.json +@@ -243,7 +243,7 @@ + ] + }, + "common": { +- "cpath": "/run/kata-containers/shared/containers", ++ "cpath": "/run/kata-containers", + "mount_source_cpath": "/run/kata-containers/shared/containers", + "sfprefix": "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-", + "ip_p": "[0-9]{1,5}", +-- +2.46.0 + diff --git a/packages/by-name/kata/kata-runtime/0012-genpolicy-allow-image_guest_pull.patch b/packages/by-name/kata/kata-runtime/0012-genpolicy-allow-image_guest_pull.patch new file mode 100644 index 0000000000..28be745de0 --- /dev/null +++ b/packages/by-name/kata/kata-runtime/0012-genpolicy-allow-image_guest_pull.patch @@ -0,0 +1,2347 @@ +From dd3dcd31c027fa6ad108d22709f6d6df40844afe Mon Sep 17 00:00:00 2001 +From: Markus Rudy +Date: Thu, 1 Aug 2024 15:58:42 +0200 +Subject: [PATCH 12/12] genpolicy: allow image_guest_pull + +This adds an alternative version of allow_storages that checks Nydus +guest pull instructions. The image reference is present in two +locations, but currently only read from the driver options. However, to +be safe against future changes in image-rs, we check both references +against the policy digest. + +Since containerd removes the image tag if the reference has a digest, we +cannot compare the strings byte for byte. Instead, we only compare the +digest parts, which are considered sufficient to identify an image. An +image reference without a digest cannot be meaningfully checked, so we +don't even bother handling that case. +--- + src/tools/genpolicy/genpolicy-settings.json | 2 +- + src/tools/genpolicy/rules.rego | 116 +- + src/tools/genpolicy/src/policy.rs | 4 + + src/tools/genpolicy/tests/main.rs | 7 +- + .../createcontainer/guest_pull/pod.yaml | 11 + + .../createcontainer/guest_pull/testcases.json | 2027 +++++++++++++++++ + 6 files changed, 2147 insertions(+), 20 deletions(-) + create mode 100644 src/tools/genpolicy/tests/testdata/createcontainer/guest_pull/pod.yaml + create mode 100644 src/tools/genpolicy/tests/testdata/createcontainer/guest_pull/testcases.json + +diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json +index 4e9f6481d..e3b36a655 100644 +--- a/src/tools/genpolicy/genpolicy-settings.json ++++ b/src/tools/genpolicy/genpolicy-settings.json +@@ -148,7 +148,7 @@ + "emptyDir": { + "mount_type": "local", + "mount_source": "^$(cpath)/$(sandbox-id)/rootfs/local/", +- "mount_point": "^$(cpath)/$(sandbox-id)/local/", ++ "mount_point": "^$(cpath)/$(sandbox-id)/rootfs/local/", + "driver": "local", + "source": "local", + "fstype": "local", +diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego +index 768d126f5..685109ba6 100644 +--- a/src/tools/genpolicy/rules.rego ++++ b/src/tools/genpolicy/rules.rego +@@ -80,7 +80,7 @@ CreateContainerRequest { + allow_anno(p_oci, i_oci) + + p_storages := p_container.storages +- allow_by_anno(p_oci, i_oci, p_storages, i_storages) ++ allow_by_anno(p_container, i_oci, i_storages) + + p_devices := p_container.devices + allow_devices(p_devices, i_devices) +@@ -160,47 +160,48 @@ allow_anno_key(i_key, p_oci) { + + # Get the value of the "io.kubernetes.cri.sandbox-name" annotation and + # correlate it with other annotations and process fields. +-allow_by_anno(p_oci, i_oci, p_storages, i_storages) { ++allow_by_anno(p_container, i_oci, i_storages) { + print("allow_by_anno 1: start") + + s_name := "io.kubernetes.cri.sandbox-name" + +- not p_oci.Annotations[s_name] ++ not p_container.OCI.Annotations[s_name] + + i_s_name := i_oci.Annotations[s_name] + print("allow_by_anno 1: i_s_name =", i_s_name) + +- allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, i_s_name) ++ allow_by_sandbox_name(p_container, i_oci, i_storages, i_s_name) + + print("allow_by_anno 1: true") + } +-allow_by_anno(p_oci, i_oci, p_storages, i_storages) { ++allow_by_anno(p_container, i_oci, i_storages) { + print("allow_by_anno 2: start") + + s_name := "io.kubernetes.cri.sandbox-name" + +- p_s_name := p_oci.Annotations[s_name] ++ p_s_name := p_container.OCI.Annotations[s_name] + i_s_name := i_oci.Annotations[s_name] + print("allow_by_anno 2: i_s_name =", i_s_name, "p_s_name =", p_s_name) + + allow_sandbox_name(p_s_name, i_s_name) +- allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, i_s_name) ++ allow_by_sandbox_name(p_container, i_oci, i_storages, i_s_name) + + print("allow_by_anno 2: true") + } + +-allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, s_name) { ++allow_by_sandbox_name(p_container, i_oci, i_storages, s_name) { + print("allow_by_sandbox_name: start") + + s_namespace := "io.kubernetes.cri.sandbox-namespace" + ++ p_oci := p_container.OCI + p_namespace := p_oci.Annotations[s_namespace] + i_namespace := i_oci.Annotations[s_namespace] + print("allow_by_sandbox_name: p_namespace =", p_namespace, "i_namespace =", i_namespace) + p_namespace == i_namespace + + allow_by_container_types(p_oci, i_oci, s_name, p_namespace) +- allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) ++ allow_by_bundle_or_sandbox_id(p_container, i_oci, i_storages) + allow_process(p_oci, i_oci, s_name) + + print("allow_by_sandbox_name: true") +@@ -506,11 +507,12 @@ allow_linux_sysctl(p_linux, i_linux) { + + # Check the consistency of the input "io.katacontainers.pkg.oci.bundle_path" + # and io.kubernetes.cri.sandbox-id" values with other fields. +-allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) { ++allow_by_bundle_or_sandbox_id(p_container, i_oci, i_storages) { + print("allow_by_bundle_or_sandbox_id: start") + + key := "io.kubernetes.cri.sandbox-id" + ++ p_oci := p_container.OCI + p_regex := p_oci.Annotations[key] + sandbox_id := i_oci.Annotations[key] + +@@ -530,8 +532,7 @@ allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) { + allow_mount(p_oci, i_mount, bundle_id, sandbox_id) + } + +- # TODO: enable allow_storages() after fixing https://github.com/kata-containers/kata-containers/issues/8833 +- # allow_storages(p_storages, i_storages, bundle_id, sandbox_id) ++ allow_storages(p_container, i_storages, bundle_id, sandbox_id) + + print("allow_by_bundle_or_sandbox_id: true") + } +@@ -830,30 +831,109 @@ mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) { + ###################################################################### + # Create container Storages + +-allow_storages(p_storages, i_storages, bundle_id, sandbox_id) { ++# Allow image_guest_pull storage ++allow_storages(p_container, i_storages, bundle_id, sandbox_id) { ++ print("allow_storages 1: start") ++ i_count := count(i_storages) ++ print("allow_storages 1: i_count =", i_count) ++ i_count >= 1 ++ ++ # First storage: image guest pull ++ ++ i_storage := i_storages[0] ++ i_storage.driver == "image_guest_pull" ++ i_storage.fstype == "overlay" ++ ++ p_mount_point := concat("/", [policy_data.common.cpath, bundle_id, "rootfs"]) ++ print("allow_storages 1: i_storage.mount_point =", i_storage.mount_point, "p_mount_point =", p_mount_point) ++ i_storage.mount_point == p_mount_point ++ ++ print("allow_storages 1: p_container.image =", p_container.image, "i_storage.source =", i_storage.source) ++ ++ count(i_storage.driver_options) == 1 ++ i_driver_option := i_storage.driver_options[0] ++ ++ i_driver_options_json := trim_prefix(i_driver_option, "image_guest_pull=") ++ print("allow_storages 1: i_driver_options_json =", i_driver_options_json) ++ i_driver_options := json.unmarshal(i_driver_options_json) ++ ++ allow_guest_pull(p_container.image, i_storage.source, i_driver_options) ++ ++ # Other storages: local mounts ++ ++ every i_storage in array.slice(i_storages, 1, count(i_storages)) { ++ some p_storage in p_container.storages ++ some allowed_driver in ["local", "ephemeral"] ++ p_storage.driver == allowed_driver ++ p_storage.options == i_storage.options ++ ++ mount1 := p_storage.mount_point ++ mount2 := replace(mount1, "$(cpath)", policy_data.common.mount_source_cpath) ++ mount3 := replace(mount2, "$(sandbox-id)", sandbox_id) ++ print("allow_mount_point 3: mount3 =", mount3, "i_storage.mount_point =", i_storage.mount_point) ++ regex.match(mount3, i_storage.mount_point) ++ } ++ ++ print("allow_storages 1: true") ++} ++ ++allow_guest_pull(p_container_image, i_storage_source, i_driver_options) { ++ print("allow_guest_pull 1: start") ++ # pause container is only allowed in the sandbox container. ++ i_driver_options.metadata["io.kubernetes.cri.container-type"] == "sandbox" ++ i_storage_source == "pause" ++ not i_driver_options.metadata["io.kubernetes.cri.image-name"] ++ print("allow_guest_pull 1: true") ++} ++ ++allow_guest_pull(p_container_image, i_storage_source, i_driver_options) { ++ print("allow_guest_pull 2: start") ++ # Non-sandbox container images are compared against reference values. ++ i_driver_options.metadata["io.kubernetes.cri.container-type"] == "container" ++ is_same_image(i_storage_source, p_container_image) ++ is_same_image(i_driver_options.metadata["io.kubernetes.cri.image-name"], p_container_image) ++ print("allow_guest_pull 2: true") ++} ++ ++is_same_image(a, b) { ++ # Images are the same if their digests are the same. ++ digest_re = "^[^@]+(@.+)?$" ++ ++ print("is_same_image: a =", a, "b =", b) ++ ++ a_match := regex.find_all_string_submatch_n(digest_re, a, 1) ++ b_match := regex.find_all_string_submatch_n(digest_re, b, 1) ++ a_match[0][1] == b_match[0][1] ++ ++ print("is_same_image: true") ++} ++ ++# Allow tardev-snapshotter storage ++allow_storages(p_container, i_storages, bundle_id, sandbox_id) { ++ p_storages := p_container.storages + p_count := count(p_storages) + i_count := count(i_storages) +- print("allow_storages: p_count =", p_count, "i_count =", i_count) ++ print("allow_storages 2: p_count =", p_count, "i_count =", i_count) + + p_count == i_count + + # Get the container image layer IDs and verity root hashes, from the "overlayfs" storage. + some overlay_storage in p_storages + overlay_storage.driver == "overlayfs" +- print("allow_storages: overlay_storage =", overlay_storage) ++ print("allow_storages 2: overlay_storage =", overlay_storage) + count(overlay_storage.options) == 2 + + layer_ids := split(overlay_storage.options[0], ":") +- print("allow_storages: layer_ids =", layer_ids) ++ print("allow_storages 2: layer_ids =", layer_ids) + + root_hashes := split(overlay_storage.options[1], ":") +- print("allow_storages: root_hashes =", root_hashes) ++ print("allow_storages 2: root_hashes =", root_hashes) + + every i_storage in i_storages { + allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hashes) + } + +- print("allow_storages: true") ++ print("allow_storages 2: true") + } + + allow_storage(p_storages, i_storage, bundle_id, sandbox_id, layer_ids, root_hashes) { +diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs +index adbdf97f3..c4dc4ac3c 100644 +--- a/src/tools/genpolicy/src/policy.rs ++++ b/src/tools/genpolicy/src/policy.rs +@@ -270,6 +270,9 @@ pub struct ContainerPolicy { + /// Data compared with req.OCI for CreateContainerRequest calls. + pub OCI: KataSpec, + ++ /// Container image reference. ++ image: String, ++ + /// Data compared with req.storages for CreateContainerRequest calls. + storages: Vec, + +@@ -636,6 +639,7 @@ impl AgentPolicy { + Annotations: annotations, + Linux: linux, + }, ++ image: yaml_container.image.clone(), + storages, + devices, + sandbox_pidns, +diff --git a/src/tools/genpolicy/tests/main.rs b/src/tools/genpolicy/tests/main.rs +index 565b3e2a0..a3a08d96e 100644 +--- a/src/tools/genpolicy/tests/main.rs ++++ b/src/tools/genpolicy/tests/main.rs +@@ -9,7 +9,7 @@ use std::path; + use std::process::Command; + use std::str; + +-use protocols::agent::{CopyFileRequest, CreateSandboxRequest}; ++use protocols::agent::{CopyFileRequest, CreateContainerRequest, CreateSandboxRequest}; + use serde::de::DeserializeOwned; + use serde::{Deserialize, Serialize}; + +@@ -99,3 +99,8 @@ fn test_copyfile() { + fn test_create_sandbox() { + runtests::("createsandbox"); + } ++ ++#[test] ++fn test_create_container_guest_pull() { ++ runtests::("createcontainer/guest_pull"); ++} +diff --git a/src/tools/genpolicy/tests/testdata/createcontainer/guest_pull/pod.yaml b/src/tools/genpolicy/tests/testdata/createcontainer/guest_pull/pod.yaml +new file mode 100644 +index 000000000..203af19a6 +--- /dev/null ++++ b/src/tools/genpolicy/tests/testdata/createcontainer/guest_pull/pod.yaml +@@ -0,0 +1,11 @@ ++apiVersion: v1 ++kind: Pod ++metadata: ++ name: dummy ++spec: ++ runtimeClassName: kata-cc-isolation ++ containers: ++ - name: dummy-ctr ++ image: registry.k8s.io/pause:3.6@sha256:3d380ca8864549e74af4b29c10f9cb0956236dfb01c40ca076fb6c37253234db ++ securityContext: ++ privileged: true +diff --git a/src/tools/genpolicy/tests/testdata/createcontainer/guest_pull/testcases.json b/src/tools/genpolicy/tests/testdata/createcontainer/guest_pull/testcases.json +new file mode 100644 +index 000000000..2f21e0674 +--- /dev/null ++++ b/src/tools/genpolicy/tests/testdata/createcontainer/guest_pull/testcases.json +@@ -0,0 +1,2027 @@ ++[ ++ { ++ "description": "expected main container", ++ "allowed": true, ++ "request": { ++ "container_id": "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", ++ "exec_id": "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", ++ "string_user": null, ++ "devices": [], ++ "storages": [ ++ { ++ "driver": "image_guest_pull", ++ "driver_options": [ ++ "image_guest_pull={\"metadata\":{\"io.katacontainers.pkg.oci.bundle_path\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef\",\"io.katacontainers.pkg.oci.container_type\":\"pod_container\",\"io.kubernetes.cri.container-name\":\"reader\",\"io.kubernetes.cri.container-type\":\"container\",\"io.kubernetes.cri.image-name\":\"registry.k8s.io/pause:3.6@sha256:3d380ca8864549e74af4b29c10f9cb0956236dfb01c40ca076fb6c37253234db\",\"io.kubernetes.cri.sandbox-id\":\"0000000000000000000000000000000000000000000000000000000000000001\",\"io.kubernetes.cri.sandbox-name\":\"dummy\",\"io.kubernetes.cri.sandbox-namespace\":\"default\",\"io.kubernetes.cri.sandbox-uid\":\"409eab9f-b794-48b6-9424-ae53bc5d65ba\"}}" ++ ], ++ "source": "registry.k8s.io/pause:3.6@sha256:3d380ca8864549e74af4b29c10f9cb0956236dfb01c40ca076fb6c37253234db", ++ "fstype": "overlay", ++ "options": [], ++ "mount_point": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef/rootfs", ++ "fs_group": null ++ } ++ ], ++ "OCI": { ++ "Version": "1.1.0", ++ "Process": { ++ "Terminal": false, ++ "ConsoleSize": null, ++ "User": { ++ "UID": 0, ++ "GID": 0, ++ "AdditionalGids": [ ++ 0, ++ 1, ++ 2, ++ 3, ++ 4, ++ 6, ++ 10, ++ 11, ++ 20, ++ 26, ++ 27 ++ ], ++ "Username": "" ++ }, ++ "Args": [ ++ "/pause" ++ ], ++ "Env": [ ++ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", ++ "HOSTNAME=dummy", ++ "KUBERNETES_PORT_443_TCP_PROTO=tcp", ++ "KUBERNETES_PORT_443_TCP_PORT=443", ++ "KUBERNETES_PORT_443_TCP_ADDR=10.43.0.1", ++ "KUBERNETES_SERVICE_HOST=10.43.0.1", ++ "KUBERNETES_SERVICE_PORT=443", ++ "KUBERNETES_SERVICE_PORT_HTTPS=443", ++ "KUBERNETES_PORT=tcp://10.43.0.1:443", ++ "KUBERNETES_PORT_443_TCP=tcp://10.43.0.1:443" ++ ], ++ "Cwd": "/", ++ "Capabilities": { ++ "Bounding": [ ++ "CAP_CHOWN", ++ "CAP_DAC_OVERRIDE", ++ "CAP_DAC_READ_SEARCH", ++ "CAP_FOWNER", ++ "CAP_FSETID", ++ "CAP_KILL", ++ "CAP_SETGID", ++ "CAP_SETUID", ++ "CAP_SETPCAP", ++ "CAP_LINUX_IMMUTABLE", ++ "CAP_NET_BIND_SERVICE", ++ "CAP_NET_BROADCAST", ++ "CAP_NET_ADMIN", ++ "CAP_NET_RAW", ++ "CAP_IPC_LOCK", ++ "CAP_IPC_OWNER", ++ "CAP_SYS_MODULE", ++ "CAP_SYS_RAWIO", ++ "CAP_SYS_CHROOT", ++ "CAP_SYS_PTRACE", ++ "CAP_SYS_PACCT", ++ "CAP_SYS_ADMIN", ++ "CAP_SYS_BOOT", ++ "CAP_SYS_NICE", ++ "CAP_SYS_RESOURCE", ++ "CAP_SYS_TIME", ++ "CAP_SYS_TTY_CONFIG", ++ "CAP_MKNOD", ++ "CAP_LEASE", ++ "CAP_AUDIT_WRITE", ++ "CAP_AUDIT_CONTROL", ++ "CAP_SETFCAP", ++ "CAP_MAC_OVERRIDE", ++ "CAP_MAC_ADMIN", ++ "CAP_SYSLOG", ++ "CAP_WAKE_ALARM", ++ "CAP_BLOCK_SUSPEND", ++ "CAP_AUDIT_READ", ++ "CAP_PERFMON", ++ "CAP_BPF", ++ "CAP_CHECKPOINT_RESTORE" ++ ], ++ "Effective": [ ++ "CAP_CHOWN", ++ "CAP_DAC_OVERRIDE", ++ "CAP_DAC_READ_SEARCH", ++ "CAP_FOWNER", ++ "CAP_FSETID", ++ "CAP_KILL", ++ "CAP_SETGID", ++ "CAP_SETUID", ++ "CAP_SETPCAP", ++ "CAP_LINUX_IMMUTABLE", ++ "CAP_NET_BIND_SERVICE", ++ "CAP_NET_BROADCAST", ++ "CAP_NET_ADMIN", ++ "CAP_NET_RAW", ++ "CAP_IPC_LOCK", ++ "CAP_IPC_OWNER", ++ "CAP_SYS_MODULE", ++ "CAP_SYS_RAWIO", ++ "CAP_SYS_CHROOT", ++ "CAP_SYS_PTRACE", ++ "CAP_SYS_PACCT", ++ "CAP_SYS_ADMIN", ++ "CAP_SYS_BOOT", ++ "CAP_SYS_NICE", ++ "CAP_SYS_RESOURCE", ++ "CAP_SYS_TIME", ++ "CAP_SYS_TTY_CONFIG", ++ "CAP_MKNOD", ++ "CAP_LEASE", ++ "CAP_AUDIT_WRITE", ++ "CAP_AUDIT_CONTROL", ++ "CAP_SETFCAP", ++ "CAP_MAC_OVERRIDE", ++ "CAP_MAC_ADMIN", ++ "CAP_SYSLOG", ++ "CAP_WAKE_ALARM", ++ "CAP_BLOCK_SUSPEND", ++ "CAP_AUDIT_READ", ++ "CAP_PERFMON", ++ "CAP_BPF", ++ "CAP_CHECKPOINT_RESTORE" ++ ], ++ "Inheritable": [], ++ "Permitted": [ ++ "CAP_CHOWN", ++ "CAP_DAC_OVERRIDE", ++ "CAP_DAC_READ_SEARCH", ++ "CAP_FOWNER", ++ "CAP_FSETID", ++ "CAP_KILL", ++ "CAP_SETGID", ++ "CAP_SETUID", ++ "CAP_SETPCAP", ++ "CAP_LINUX_IMMUTABLE", ++ "CAP_NET_BIND_SERVICE", ++ "CAP_NET_BROADCAST", ++ "CAP_NET_ADMIN", ++ "CAP_NET_RAW", ++ "CAP_IPC_LOCK", ++ "CAP_IPC_OWNER", ++ "CAP_SYS_MODULE", ++ "CAP_SYS_RAWIO", ++ "CAP_SYS_CHROOT", ++ "CAP_SYS_PTRACE", ++ "CAP_SYS_PACCT", ++ "CAP_SYS_ADMIN", ++ "CAP_SYS_BOOT", ++ "CAP_SYS_NICE", ++ "CAP_SYS_RESOURCE", ++ "CAP_SYS_TIME", ++ "CAP_SYS_TTY_CONFIG", ++ "CAP_MKNOD", ++ "CAP_LEASE", ++ "CAP_AUDIT_WRITE", ++ "CAP_AUDIT_CONTROL", ++ "CAP_SETFCAP", ++ "CAP_MAC_OVERRIDE", ++ "CAP_MAC_ADMIN", ++ "CAP_SYSLOG", ++ "CAP_WAKE_ALARM", ++ "CAP_BLOCK_SUSPEND", ++ "CAP_AUDIT_READ", ++ "CAP_PERFMON", ++ "CAP_BPF", ++ "CAP_CHECKPOINT_RESTORE" ++ ], ++ "Ambient": [] ++ }, ++ "Rlimits": [], ++ "NoNewPrivileges": false, ++ "ApparmorProfile": "", ++ "OOMScoreAdj": 1000, ++ "SelinuxLabel": "" ++ }, ++ "Root": { ++ "Path": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef/rootfs", ++ "Readonly": false ++ }, ++ "Hostname": "", ++ "Mounts": [ ++ { ++ "destination": "/proc", ++ "source": "proc", ++ "type_": "proc", ++ "options": [ ++ "nosuid", ++ "noexec", ++ "nodev" ++ ] ++ }, ++ { ++ "destination": "/dev", ++ "source": "tmpfs", ++ "type_": "tmpfs", ++ "options": [ ++ "nosuid", ++ "strictatime", ++ "mode=755", ++ "size=65536k" ++ ] ++ }, ++ { ++ "destination": "/dev/pts", ++ "source": "devpts", ++ "type_": "devpts", ++ "options": [ ++ "nosuid", ++ "noexec", ++ "newinstance", ++ "ptmxmode=0666", ++ "mode=0620", ++ "gid=5" ++ ] ++ }, ++ { ++ "destination": "/dev/mqueue", ++ "source": "mqueue", ++ "type_": "mqueue", ++ "options": [ ++ "nosuid", ++ "noexec", ++ "nodev" ++ ] ++ }, ++ { ++ "destination": "/sys", ++ "source": "sysfs", ++ "type_": "sysfs", ++ "options": [ ++ "nosuid", ++ "noexec", ++ "nodev", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/sys/fs/cgroup", ++ "source": "cgroup", ++ "type_": "cgroup", ++ "options": [ ++ "nosuid", ++ "noexec", ++ "nodev", ++ "relatime", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/etc/hosts", ++ "source": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef-1c1110e20d0b18aa-hosts", ++ "type_": "bind", ++ "options": [ ++ "rbind", ++ "rprivate", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/dev/termination-log", ++ "source": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef-270be95ff930824e-termination-log", ++ "type_": "bind", ++ "options": [ ++ "rbind", ++ "rprivate", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/etc/hostname", ++ "source": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef-b6820112604db404-hostname", ++ "type_": "bind", ++ "options": [ ++ "rbind", ++ "rprivate", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/etc/resolv.conf", ++ "source": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef-bee08cb8d9985c0a-resolv.conf", ++ "type_": "bind", ++ "options": [ ++ "rbind", ++ "rprivate", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/dev/shm", ++ "source": "/run/kata-containers/sandbox/shm", ++ "type_": "bind", ++ "options": [ ++ "rbind" ++ ] ++ }, ++ { ++ "destination": "/var/run/secrets/kubernetes.io/serviceaccount", ++ "source": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef-03db333c5a68a8c7-serviceaccount", ++ "type_": "bind", ++ "options": [ ++ "rbind", ++ "rprivate", ++ "ro" ++ ] ++ } ++ ], ++ "Hooks": null, ++ "Annotations": { ++ "io.katacontainers.pkg.oci.container_type": "pod_container", ++ "io.kubernetes.cri.sandbox-uid": "409eab9f-b794-48b6-9424-ae53bc5d65ba", ++ "io.kubernetes.cri.container-type": "container", ++ "io.kubernetes.cri.container-name": "dummy-ctr", ++ "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", ++ "io.kubernetes.cri.sandbox-id": "0000000000000000000000000000000000000000000000000000000000000001", ++ "io.kubernetes.cri.sandbox-namespace": "default", ++ "io.kubernetes.cri.sandbox-name": "dummy", ++ "io.kubernetes.cri.image-name": "registry.k8s.io/pause:3.6@sha256:3d380ca8864549e74af4b29c10f9cb0956236dfb01c40ca076fb6c37253234db" ++ }, ++ "Linux": { ++ "UIDMappings": [], ++ "GIDMappings": [], ++ "Sysctl": {}, ++ "Resources": { ++ "Devices": [], ++ "Memory": { ++ "Limit": 0, ++ "Reservation": 0, ++ "Swap": 0, ++ "Kernel": 0, ++ "KernelTCP": 0, ++ "Swappiness": 0, ++ "DisableOOMKiller": false ++ }, ++ "CPU": { ++ "Shares": 2, ++ "Quota": 0, ++ "Period": 100000, ++ "RealtimeRuntime": 0, ++ "RealtimePeriod": 0, ++ "Cpus": "", ++ "Mems": "" ++ }, ++ "Pids": null, ++ "BlockIO": null, ++ "HugepageLimits": [], ++ "Network": null ++ }, ++ "CgroupsPath": "kubepods-besteffort-pod409eab9f_b794_48b6_9424_ae53bc5d65ba.slice:cri-containerd:deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", ++ "Namespaces": [ ++ { ++ "Type": "ipc", ++ "Path": "" ++ }, ++ { ++ "Type": "uts", ++ "Path": "" ++ }, ++ { ++ "Type": "mount", ++ "Path": "" ++ } ++ ], ++ "Devices": [], ++ "Seccomp": null, ++ "RootfsPropagation": "", ++ "MaskedPaths": [], ++ "ReadonlyPaths": [], ++ "MountLabel": "", ++ "IntelRdt": null ++ }, ++ "Solaris": null, ++ "Windows": null ++ }, ++ "sandbox_pidns": false, ++ "shared_mounts": [], ++ "stdin_port": 0, ++ "stdout_port": 0, ++ "stderr_port": 0 ++ } ++ }, ++ { ++ "description": "expected main container without tag", ++ "allowed": true, ++ "request": { ++ "container_id": "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", ++ "exec_id": "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", ++ "string_user": null, ++ "devices": [], ++ "storages": [ ++ { ++ "driver": "image_guest_pull", ++ "driver_options": [ ++ "image_guest_pull={\"metadata\":{\"io.katacontainers.pkg.oci.bundle_path\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef\",\"io.katacontainers.pkg.oci.container_type\":\"pod_container\",\"io.kubernetes.cri.container-name\":\"reader\",\"io.kubernetes.cri.container-type\":\"container\",\"io.kubernetes.cri.image-name\":\"registry.k8s.io/pause@sha256:3d380ca8864549e74af4b29c10f9cb0956236dfb01c40ca076fb6c37253234db\",\"io.kubernetes.cri.sandbox-id\":\"0000000000000000000000000000000000000000000000000000000000000001\",\"io.kubernetes.cri.sandbox-name\":\"dummy\",\"io.kubernetes.cri.sandbox-namespace\":\"default\",\"io.kubernetes.cri.sandbox-uid\":\"409eab9f-b794-48b6-9424-ae53bc5d65ba\"}}" ++ ], ++ "source": "registry.k8s.io/pause@sha256:3d380ca8864549e74af4b29c10f9cb0956236dfb01c40ca076fb6c37253234db", ++ "fstype": "overlay", ++ "options": [], ++ "mount_point": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef/rootfs", ++ "fs_group": null ++ } ++ ], ++ "OCI": { ++ "Version": "1.1.0", ++ "Process": { ++ "Terminal": false, ++ "ConsoleSize": null, ++ "User": { ++ "UID": 0, ++ "GID": 0, ++ "AdditionalGids": [ ++ 0, ++ 1, ++ 2, ++ 3, ++ 4, ++ 6, ++ 10, ++ 11, ++ 20, ++ 26, ++ 27 ++ ], ++ "Username": "" ++ }, ++ "Args": [ ++ "/pause" ++ ], ++ "Env": [ ++ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", ++ "HOSTNAME=dummy", ++ "KUBERNETES_PORT_443_TCP_PROTO=tcp", ++ "KUBERNETES_PORT_443_TCP_PORT=443", ++ "KUBERNETES_PORT_443_TCP_ADDR=10.43.0.1", ++ "KUBERNETES_SERVICE_HOST=10.43.0.1", ++ "KUBERNETES_SERVICE_PORT=443", ++ "KUBERNETES_SERVICE_PORT_HTTPS=443", ++ "KUBERNETES_PORT=tcp://10.43.0.1:443", ++ "KUBERNETES_PORT_443_TCP=tcp://10.43.0.1:443" ++ ], ++ "Cwd": "/", ++ "Capabilities": { ++ "Bounding": [ ++ "CAP_CHOWN", ++ "CAP_DAC_OVERRIDE", ++ "CAP_DAC_READ_SEARCH", ++ "CAP_FOWNER", ++ "CAP_FSETID", ++ "CAP_KILL", ++ "CAP_SETGID", ++ "CAP_SETUID", ++ "CAP_SETPCAP", ++ "CAP_LINUX_IMMUTABLE", ++ "CAP_NET_BIND_SERVICE", ++ "CAP_NET_BROADCAST", ++ "CAP_NET_ADMIN", ++ "CAP_NET_RAW", ++ "CAP_IPC_LOCK", ++ "CAP_IPC_OWNER", ++ "CAP_SYS_MODULE", ++ "CAP_SYS_RAWIO", ++ "CAP_SYS_CHROOT", ++ "CAP_SYS_PTRACE", ++ "CAP_SYS_PACCT", ++ "CAP_SYS_ADMIN", ++ "CAP_SYS_BOOT", ++ "CAP_SYS_NICE", ++ "CAP_SYS_RESOURCE", ++ "CAP_SYS_TIME", ++ "CAP_SYS_TTY_CONFIG", ++ "CAP_MKNOD", ++ "CAP_LEASE", ++ "CAP_AUDIT_WRITE", ++ "CAP_AUDIT_CONTROL", ++ "CAP_SETFCAP", ++ "CAP_MAC_OVERRIDE", ++ "CAP_MAC_ADMIN", ++ "CAP_SYSLOG", ++ "CAP_WAKE_ALARM", ++ "CAP_BLOCK_SUSPEND", ++ "CAP_AUDIT_READ", ++ "CAP_PERFMON", ++ "CAP_BPF", ++ "CAP_CHECKPOINT_RESTORE" ++ ], ++ "Effective": [ ++ "CAP_CHOWN", ++ "CAP_DAC_OVERRIDE", ++ "CAP_DAC_READ_SEARCH", ++ "CAP_FOWNER", ++ "CAP_FSETID", ++ "CAP_KILL", ++ "CAP_SETGID", ++ "CAP_SETUID", ++ "CAP_SETPCAP", ++ "CAP_LINUX_IMMUTABLE", ++ "CAP_NET_BIND_SERVICE", ++ "CAP_NET_BROADCAST", ++ "CAP_NET_ADMIN", ++ "CAP_NET_RAW", ++ "CAP_IPC_LOCK", ++ "CAP_IPC_OWNER", ++ "CAP_SYS_MODULE", ++ "CAP_SYS_RAWIO", ++ "CAP_SYS_CHROOT", ++ "CAP_SYS_PTRACE", ++ "CAP_SYS_PACCT", ++ "CAP_SYS_ADMIN", ++ "CAP_SYS_BOOT", ++ "CAP_SYS_NICE", ++ "CAP_SYS_RESOURCE", ++ "CAP_SYS_TIME", ++ "CAP_SYS_TTY_CONFIG", ++ "CAP_MKNOD", ++ "CAP_LEASE", ++ "CAP_AUDIT_WRITE", ++ "CAP_AUDIT_CONTROL", ++ "CAP_SETFCAP", ++ "CAP_MAC_OVERRIDE", ++ "CAP_MAC_ADMIN", ++ "CAP_SYSLOG", ++ "CAP_WAKE_ALARM", ++ "CAP_BLOCK_SUSPEND", ++ "CAP_AUDIT_READ", ++ "CAP_PERFMON", ++ "CAP_BPF", ++ "CAP_CHECKPOINT_RESTORE" ++ ], ++ "Inheritable": [], ++ "Permitted": [ ++ "CAP_CHOWN", ++ "CAP_DAC_OVERRIDE", ++ "CAP_DAC_READ_SEARCH", ++ "CAP_FOWNER", ++ "CAP_FSETID", ++ "CAP_KILL", ++ "CAP_SETGID", ++ "CAP_SETUID", ++ "CAP_SETPCAP", ++ "CAP_LINUX_IMMUTABLE", ++ "CAP_NET_BIND_SERVICE", ++ "CAP_NET_BROADCAST", ++ "CAP_NET_ADMIN", ++ "CAP_NET_RAW", ++ "CAP_IPC_LOCK", ++ "CAP_IPC_OWNER", ++ "CAP_SYS_MODULE", ++ "CAP_SYS_RAWIO", ++ "CAP_SYS_CHROOT", ++ "CAP_SYS_PTRACE", ++ "CAP_SYS_PACCT", ++ "CAP_SYS_ADMIN", ++ "CAP_SYS_BOOT", ++ "CAP_SYS_NICE", ++ "CAP_SYS_RESOURCE", ++ "CAP_SYS_TIME", ++ "CAP_SYS_TTY_CONFIG", ++ "CAP_MKNOD", ++ "CAP_LEASE", ++ "CAP_AUDIT_WRITE", ++ "CAP_AUDIT_CONTROL", ++ "CAP_SETFCAP", ++ "CAP_MAC_OVERRIDE", ++ "CAP_MAC_ADMIN", ++ "CAP_SYSLOG", ++ "CAP_WAKE_ALARM", ++ "CAP_BLOCK_SUSPEND", ++ "CAP_AUDIT_READ", ++ "CAP_PERFMON", ++ "CAP_BPF", ++ "CAP_CHECKPOINT_RESTORE" ++ ], ++ "Ambient": [] ++ }, ++ "Rlimits": [], ++ "NoNewPrivileges": false, ++ "ApparmorProfile": "", ++ "OOMScoreAdj": 1000, ++ "SelinuxLabel": "" ++ }, ++ "Root": { ++ "Path": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef/rootfs", ++ "Readonly": false ++ }, ++ "Hostname": "", ++ "Mounts": [ ++ { ++ "destination": "/proc", ++ "source": "proc", ++ "type_": "proc", ++ "options": [ ++ "nosuid", ++ "noexec", ++ "nodev" ++ ] ++ }, ++ { ++ "destination": "/dev", ++ "source": "tmpfs", ++ "type_": "tmpfs", ++ "options": [ ++ "nosuid", ++ "strictatime", ++ "mode=755", ++ "size=65536k" ++ ] ++ }, ++ { ++ "destination": "/dev/pts", ++ "source": "devpts", ++ "type_": "devpts", ++ "options": [ ++ "nosuid", ++ "noexec", ++ "newinstance", ++ "ptmxmode=0666", ++ "mode=0620", ++ "gid=5" ++ ] ++ }, ++ { ++ "destination": "/dev/mqueue", ++ "source": "mqueue", ++ "type_": "mqueue", ++ "options": [ ++ "nosuid", ++ "noexec", ++ "nodev" ++ ] ++ }, ++ { ++ "destination": "/sys", ++ "source": "sysfs", ++ "type_": "sysfs", ++ "options": [ ++ "nosuid", ++ "noexec", ++ "nodev", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/sys/fs/cgroup", ++ "source": "cgroup", ++ "type_": "cgroup", ++ "options": [ ++ "nosuid", ++ "noexec", ++ "nodev", ++ "relatime", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/etc/hosts", ++ "source": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef-1c1110e20d0b18aa-hosts", ++ "type_": "bind", ++ "options": [ ++ "rbind", ++ "rprivate", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/dev/termination-log", ++ "source": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef-270be95ff930824e-termination-log", ++ "type_": "bind", ++ "options": [ ++ "rbind", ++ "rprivate", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/etc/hostname", ++ "source": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef-b6820112604db404-hostname", ++ "type_": "bind", ++ "options": [ ++ "rbind", ++ "rprivate", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/etc/resolv.conf", ++ "source": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef-bee08cb8d9985c0a-resolv.conf", ++ "type_": "bind", ++ "options": [ ++ "rbind", ++ "rprivate", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/dev/shm", ++ "source": "/run/kata-containers/sandbox/shm", ++ "type_": "bind", ++ "options": [ ++ "rbind" ++ ] ++ }, ++ { ++ "destination": "/var/run/secrets/kubernetes.io/serviceaccount", ++ "source": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef-03db333c5a68a8c7-serviceaccount", ++ "type_": "bind", ++ "options": [ ++ "rbind", ++ "rprivate", ++ "ro" ++ ] ++ } ++ ], ++ "Hooks": null, ++ "Annotations": { ++ "io.katacontainers.pkg.oci.container_type": "pod_container", ++ "io.kubernetes.cri.sandbox-uid": "409eab9f-b794-48b6-9424-ae53bc5d65ba", ++ "io.kubernetes.cri.container-type": "container", ++ "io.kubernetes.cri.container-name": "dummy-ctr", ++ "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", ++ "io.kubernetes.cri.sandbox-id": "0000000000000000000000000000000000000000000000000000000000000001", ++ "io.kubernetes.cri.sandbox-namespace": "default", ++ "io.kubernetes.cri.sandbox-name": "dummy", ++ "io.kubernetes.cri.image-name": "registry.k8s.io/pause:3.6@sha256:3d380ca8864549e74af4b29c10f9cb0956236dfb01c40ca076fb6c37253234db" ++ }, ++ "Linux": { ++ "UIDMappings": [], ++ "GIDMappings": [], ++ "Sysctl": {}, ++ "Resources": { ++ "Devices": [], ++ "Memory": { ++ "Limit": 0, ++ "Reservation": 0, ++ "Swap": 0, ++ "Kernel": 0, ++ "KernelTCP": 0, ++ "Swappiness": 0, ++ "DisableOOMKiller": false ++ }, ++ "CPU": { ++ "Shares": 2, ++ "Quota": 0, ++ "Period": 100000, ++ "RealtimeRuntime": 0, ++ "RealtimePeriod": 0, ++ "Cpus": "", ++ "Mems": "" ++ }, ++ "Pids": null, ++ "BlockIO": null, ++ "HugepageLimits": [], ++ "Network": null ++ }, ++ "CgroupsPath": "kubepods-besteffort-pod409eab9f_b794_48b6_9424_ae53bc5d65ba.slice:cri-containerd:deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", ++ "Namespaces": [ ++ { ++ "Type": "ipc", ++ "Path": "" ++ }, ++ { ++ "Type": "uts", ++ "Path": "" ++ }, ++ { ++ "Type": "mount", ++ "Path": "" ++ } ++ ], ++ "Devices": [], ++ "Seccomp": null, ++ "RootfsPropagation": "", ++ "MaskedPaths": [], ++ "ReadonlyPaths": [], ++ "MountLabel": "", ++ "IntelRdt": null ++ }, ++ "Solaris": null, ++ "Windows": null ++ }, ++ "sandbox_pidns": false, ++ "shared_mounts": [], ++ "stdin_port": 0, ++ "stdout_port": 0, ++ "stderr_port": 0 ++ } ++ }, ++ { ++ "description": "unexpected image in source", ++ "allowed": false, ++ "request": { ++ "container_id": "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", ++ "exec_id": "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", ++ "string_user": null, ++ "devices": [], ++ "storages": [ ++ { ++ "driver": "image_guest_pull", ++ "driver_options": [ ++ "image_guest_pull={\"metadata\":{\"io.katacontainers.pkg.oci.bundle_path\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef\",\"io.katacontainers.pkg.oci.container_type\":\"pod_container\",\"io.kubernetes.cri.container-name\":\"reader\",\"io.kubernetes.cri.container-type\":\"container\",\"io.kubernetes.cri.image-name\":\"registry.k8s.io/pause:3.6@sha256:3d380ca8864549e74af4b29c10f9cb0956236dfb01c40ca076fb6c37253234db\",\"io.kubernetes.cri.sandbox-id\":\"0000000000000000000000000000000000000000000000000000000000000001\",\"io.kubernetes.cri.sandbox-name\":\"dummy\",\"io.kubernetes.cri.sandbox-namespace\":\"default\",\"io.kubernetes.cri.sandbox-uid\":\"409eab9f-b794-48b6-9424-ae53bc5d65ba\"}}" ++ ], ++ "source": "registry.k8s.io/pause:3.6@sha256:0badf00d0badf00d0badf00d0badf00d0badf00d0badf00d0badf00d0badf00d", ++ "fstype": "overlay", ++ "options": [], ++ "mount_point": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef/rootfs", ++ "fs_group": null ++ } ++ ], ++ "OCI": { ++ "Version": "1.1.0", ++ "Process": { ++ "Terminal": false, ++ "ConsoleSize": null, ++ "User": { ++ "UID": 0, ++ "GID": 0, ++ "AdditionalGids": [ ++ 0, ++ 1, ++ 2, ++ 3, ++ 4, ++ 6, ++ 10, ++ 11, ++ 20, ++ 26, ++ 27 ++ ], ++ "Username": "" ++ }, ++ "Args": [ ++ "/pause" ++ ], ++ "Env": [ ++ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", ++ "HOSTNAME=dummy", ++ "KUBERNETES_PORT_443_TCP_PROTO=tcp", ++ "KUBERNETES_PORT_443_TCP_PORT=443", ++ "KUBERNETES_PORT_443_TCP_ADDR=10.43.0.1", ++ "KUBERNETES_SERVICE_HOST=10.43.0.1", ++ "KUBERNETES_SERVICE_PORT=443", ++ "KUBERNETES_SERVICE_PORT_HTTPS=443", ++ "KUBERNETES_PORT=tcp://10.43.0.1:443", ++ "KUBERNETES_PORT_443_TCP=tcp://10.43.0.1:443" ++ ], ++ "Cwd": "/", ++ "Capabilities": { ++ "Bounding": [ ++ "CAP_CHOWN", ++ "CAP_DAC_OVERRIDE", ++ "CAP_DAC_READ_SEARCH", ++ "CAP_FOWNER", ++ "CAP_FSETID", ++ "CAP_KILL", ++ "CAP_SETGID", ++ "CAP_SETUID", ++ "CAP_SETPCAP", ++ "CAP_LINUX_IMMUTABLE", ++ "CAP_NET_BIND_SERVICE", ++ "CAP_NET_BROADCAST", ++ "CAP_NET_ADMIN", ++ "CAP_NET_RAW", ++ "CAP_IPC_LOCK", ++ "CAP_IPC_OWNER", ++ "CAP_SYS_MODULE", ++ "CAP_SYS_RAWIO", ++ "CAP_SYS_CHROOT", ++ "CAP_SYS_PTRACE", ++ "CAP_SYS_PACCT", ++ "CAP_SYS_ADMIN", ++ "CAP_SYS_BOOT", ++ "CAP_SYS_NICE", ++ "CAP_SYS_RESOURCE", ++ "CAP_SYS_TIME", ++ "CAP_SYS_TTY_CONFIG", ++ "CAP_MKNOD", ++ "CAP_LEASE", ++ "CAP_AUDIT_WRITE", ++ "CAP_AUDIT_CONTROL", ++ "CAP_SETFCAP", ++ "CAP_MAC_OVERRIDE", ++ "CAP_MAC_ADMIN", ++ "CAP_SYSLOG", ++ "CAP_WAKE_ALARM", ++ "CAP_BLOCK_SUSPEND", ++ "CAP_AUDIT_READ", ++ "CAP_PERFMON", ++ "CAP_BPF", ++ "CAP_CHECKPOINT_RESTORE" ++ ], ++ "Effective": [ ++ "CAP_CHOWN", ++ "CAP_DAC_OVERRIDE", ++ "CAP_DAC_READ_SEARCH", ++ "CAP_FOWNER", ++ "CAP_FSETID", ++ "CAP_KILL", ++ "CAP_SETGID", ++ "CAP_SETUID", ++ "CAP_SETPCAP", ++ "CAP_LINUX_IMMUTABLE", ++ "CAP_NET_BIND_SERVICE", ++ "CAP_NET_BROADCAST", ++ "CAP_NET_ADMIN", ++ "CAP_NET_RAW", ++ "CAP_IPC_LOCK", ++ "CAP_IPC_OWNER", ++ "CAP_SYS_MODULE", ++ "CAP_SYS_RAWIO", ++ "CAP_SYS_CHROOT", ++ "CAP_SYS_PTRACE", ++ "CAP_SYS_PACCT", ++ "CAP_SYS_ADMIN", ++ "CAP_SYS_BOOT", ++ "CAP_SYS_NICE", ++ "CAP_SYS_RESOURCE", ++ "CAP_SYS_TIME", ++ "CAP_SYS_TTY_CONFIG", ++ "CAP_MKNOD", ++ "CAP_LEASE", ++ "CAP_AUDIT_WRITE", ++ "CAP_AUDIT_CONTROL", ++ "CAP_SETFCAP", ++ "CAP_MAC_OVERRIDE", ++ "CAP_MAC_ADMIN", ++ "CAP_SYSLOG", ++ "CAP_WAKE_ALARM", ++ "CAP_BLOCK_SUSPEND", ++ "CAP_AUDIT_READ", ++ "CAP_PERFMON", ++ "CAP_BPF", ++ "CAP_CHECKPOINT_RESTORE" ++ ], ++ "Inheritable": [], ++ "Permitted": [ ++ "CAP_CHOWN", ++ "CAP_DAC_OVERRIDE", ++ "CAP_DAC_READ_SEARCH", ++ "CAP_FOWNER", ++ "CAP_FSETID", ++ "CAP_KILL", ++ "CAP_SETGID", ++ "CAP_SETUID", ++ "CAP_SETPCAP", ++ "CAP_LINUX_IMMUTABLE", ++ "CAP_NET_BIND_SERVICE", ++ "CAP_NET_BROADCAST", ++ "CAP_NET_ADMIN", ++ "CAP_NET_RAW", ++ "CAP_IPC_LOCK", ++ "CAP_IPC_OWNER", ++ "CAP_SYS_MODULE", ++ "CAP_SYS_RAWIO", ++ "CAP_SYS_CHROOT", ++ "CAP_SYS_PTRACE", ++ "CAP_SYS_PACCT", ++ "CAP_SYS_ADMIN", ++ "CAP_SYS_BOOT", ++ "CAP_SYS_NICE", ++ "CAP_SYS_RESOURCE", ++ "CAP_SYS_TIME", ++ "CAP_SYS_TTY_CONFIG", ++ "CAP_MKNOD", ++ "CAP_LEASE", ++ "CAP_AUDIT_WRITE", ++ "CAP_AUDIT_CONTROL", ++ "CAP_SETFCAP", ++ "CAP_MAC_OVERRIDE", ++ "CAP_MAC_ADMIN", ++ "CAP_SYSLOG", ++ "CAP_WAKE_ALARM", ++ "CAP_BLOCK_SUSPEND", ++ "CAP_AUDIT_READ", ++ "CAP_PERFMON", ++ "CAP_BPF", ++ "CAP_CHECKPOINT_RESTORE" ++ ], ++ "Ambient": [] ++ }, ++ "Rlimits": [], ++ "NoNewPrivileges": false, ++ "ApparmorProfile": "", ++ "OOMScoreAdj": 1000, ++ "SelinuxLabel": "" ++ }, ++ "Root": { ++ "Path": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef/rootfs", ++ "Readonly": false ++ }, ++ "Hostname": "", ++ "Mounts": [ ++ { ++ "destination": "/proc", ++ "source": "proc", ++ "type_": "proc", ++ "options": [ ++ "nosuid", ++ "noexec", ++ "nodev" ++ ] ++ }, ++ { ++ "destination": "/dev", ++ "source": "tmpfs", ++ "type_": "tmpfs", ++ "options": [ ++ "nosuid", ++ "strictatime", ++ "mode=755", ++ "size=65536k" ++ ] ++ }, ++ { ++ "destination": "/dev/pts", ++ "source": "devpts", ++ "type_": "devpts", ++ "options": [ ++ "nosuid", ++ "noexec", ++ "newinstance", ++ "ptmxmode=0666", ++ "mode=0620", ++ "gid=5" ++ ] ++ }, ++ { ++ "destination": "/dev/mqueue", ++ "source": "mqueue", ++ "type_": "mqueue", ++ "options": [ ++ "nosuid", ++ "noexec", ++ "nodev" ++ ] ++ }, ++ { ++ "destination": "/sys", ++ "source": "sysfs", ++ "type_": "sysfs", ++ "options": [ ++ "nosuid", ++ "noexec", ++ "nodev", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/sys/fs/cgroup", ++ "source": "cgroup", ++ "type_": "cgroup", ++ "options": [ ++ "nosuid", ++ "noexec", ++ "nodev", ++ "relatime", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/etc/hosts", ++ "source": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef-1c1110e20d0b18aa-hosts", ++ "type_": "bind", ++ "options": [ ++ "rbind", ++ "rprivate", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/dev/termination-log", ++ "source": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef-270be95ff930824e-termination-log", ++ "type_": "bind", ++ "options": [ ++ "rbind", ++ "rprivate", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/etc/hostname", ++ "source": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef-b6820112604db404-hostname", ++ "type_": "bind", ++ "options": [ ++ "rbind", ++ "rprivate", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/etc/resolv.conf", ++ "source": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef-bee08cb8d9985c0a-resolv.conf", ++ "type_": "bind", ++ "options": [ ++ "rbind", ++ "rprivate", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/dev/shm", ++ "source": "/run/kata-containers/sandbox/shm", ++ "type_": "bind", ++ "options": [ ++ "rbind" ++ ] ++ }, ++ { ++ "destination": "/var/run/secrets/kubernetes.io/serviceaccount", ++ "source": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef-03db333c5a68a8c7-serviceaccount", ++ "type_": "bind", ++ "options": [ ++ "rbind", ++ "rprivate", ++ "ro" ++ ] ++ } ++ ], ++ "Hooks": null, ++ "Annotations": { ++ "io.katacontainers.pkg.oci.container_type": "pod_container", ++ "io.kubernetes.cri.sandbox-uid": "409eab9f-b794-48b6-9424-ae53bc5d65ba", ++ "io.kubernetes.cri.container-type": "container", ++ "io.kubernetes.cri.container-name": "dummy-ctr", ++ "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", ++ "io.kubernetes.cri.sandbox-id": "0000000000000000000000000000000000000000000000000000000000000001", ++ "io.kubernetes.cri.sandbox-namespace": "default", ++ "io.kubernetes.cri.sandbox-name": "dummy", ++ "io.kubernetes.cri.image-name": "registry.k8s.io/pause:3.6@sha256:3d380ca8864549e74af4b29c10f9cb0956236dfb01c40ca076fb6c37253234db" ++ }, ++ "Linux": { ++ "UIDMappings": [], ++ "GIDMappings": [], ++ "Sysctl": {}, ++ "Resources": { ++ "Devices": [], ++ "Memory": { ++ "Limit": 0, ++ "Reservation": 0, ++ "Swap": 0, ++ "Kernel": 0, ++ "KernelTCP": 0, ++ "Swappiness": 0, ++ "DisableOOMKiller": false ++ }, ++ "CPU": { ++ "Shares": 2, ++ "Quota": 0, ++ "Period": 100000, ++ "RealtimeRuntime": 0, ++ "RealtimePeriod": 0, ++ "Cpus": "", ++ "Mems": "" ++ }, ++ "Pids": null, ++ "BlockIO": null, ++ "HugepageLimits": [], ++ "Network": null ++ }, ++ "CgroupsPath": "kubepods-besteffort-pod409eab9f_b794_48b6_9424_ae53bc5d65ba.slice:cri-containerd:deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", ++ "Namespaces": [ ++ { ++ "Type": "ipc", ++ "Path": "" ++ }, ++ { ++ "Type": "uts", ++ "Path": "" ++ }, ++ { ++ "Type": "mount", ++ "Path": "" ++ } ++ ], ++ "Devices": [], ++ "Seccomp": null, ++ "RootfsPropagation": "", ++ "MaskedPaths": [], ++ "ReadonlyPaths": [], ++ "MountLabel": "", ++ "IntelRdt": null ++ }, ++ "Solaris": null, ++ "Windows": null ++ }, ++ "sandbox_pidns": false, ++ "shared_mounts": [], ++ "stdin_port": 0, ++ "stdout_port": 0, ++ "stderr_port": 0 ++ } ++ }, ++ { ++ "description": "unexpected image in driver_options", ++ "allowed": false, ++ "request": { ++ "container_id": "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", ++ "exec_id": "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", ++ "string_user": null, ++ "devices": [], ++ "storages": [ ++ { ++ "driver": "image_guest_pull", ++ "driver_options": [ ++ "image_guest_pull={\"metadata\":{\"io.katacontainers.pkg.oci.bundle_path\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef\",\"io.katacontainers.pkg.oci.container_type\":\"pod_container\",\"io.kubernetes.cri.container-name\":\"reader\",\"io.kubernetes.cri.container-type\":\"container\",\"io.kubernetes.cri.image-name\":\"registry.k8s.io/pause:3.6@sha256:0badf00d0badf00d0badf00d0badf00d0badf00d0badf00d0badf00d0badf00d\",\"io.kubernetes.cri.sandbox-id\":\"0000000000000000000000000000000000000000000000000000000000000001\",\"io.kubernetes.cri.sandbox-name\":\"dummy\",\"io.kubernetes.cri.sandbox-namespace\":\"default\",\"io.kubernetes.cri.sandbox-uid\":\"409eab9f-b794-48b6-9424-ae53bc5d65ba\"}}" ++ ], ++ "source": "registry.k8s.io/pause:3.6@sha256:3d380ca8864549e74af4b29c10f9cb0956236dfb01c40ca076fb6c37253234db", ++ "fstype": "overlay", ++ "options": [], ++ "mount_point": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef/rootfs", ++ "fs_group": null ++ } ++ ], ++ "OCI": { ++ "Version": "1.1.0", ++ "Process": { ++ "Terminal": false, ++ "ConsoleSize": null, ++ "User": { ++ "UID": 0, ++ "GID": 0, ++ "AdditionalGids": [ ++ 0, ++ 1, ++ 2, ++ 3, ++ 4, ++ 6, ++ 10, ++ 11, ++ 20, ++ 26, ++ 27 ++ ], ++ "Username": "" ++ }, ++ "Args": [ ++ "/pause" ++ ], ++ "Env": [ ++ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", ++ "HOSTNAME=dummy", ++ "KUBERNETES_PORT_443_TCP_PROTO=tcp", ++ "KUBERNETES_PORT_443_TCP_PORT=443", ++ "KUBERNETES_PORT_443_TCP_ADDR=10.43.0.1", ++ "KUBERNETES_SERVICE_HOST=10.43.0.1", ++ "KUBERNETES_SERVICE_PORT=443", ++ "KUBERNETES_SERVICE_PORT_HTTPS=443", ++ "KUBERNETES_PORT=tcp://10.43.0.1:443", ++ "KUBERNETES_PORT_443_TCP=tcp://10.43.0.1:443" ++ ], ++ "Cwd": "/", ++ "Capabilities": { ++ "Bounding": [ ++ "CAP_CHOWN", ++ "CAP_DAC_OVERRIDE", ++ "CAP_DAC_READ_SEARCH", ++ "CAP_FOWNER", ++ "CAP_FSETID", ++ "CAP_KILL", ++ "CAP_SETGID", ++ "CAP_SETUID", ++ "CAP_SETPCAP", ++ "CAP_LINUX_IMMUTABLE", ++ "CAP_NET_BIND_SERVICE", ++ "CAP_NET_BROADCAST", ++ "CAP_NET_ADMIN", ++ "CAP_NET_RAW", ++ "CAP_IPC_LOCK", ++ "CAP_IPC_OWNER", ++ "CAP_SYS_MODULE", ++ "CAP_SYS_RAWIO", ++ "CAP_SYS_CHROOT", ++ "CAP_SYS_PTRACE", ++ "CAP_SYS_PACCT", ++ "CAP_SYS_ADMIN", ++ "CAP_SYS_BOOT", ++ "CAP_SYS_NICE", ++ "CAP_SYS_RESOURCE", ++ "CAP_SYS_TIME", ++ "CAP_SYS_TTY_CONFIG", ++ "CAP_MKNOD", ++ "CAP_LEASE", ++ "CAP_AUDIT_WRITE", ++ "CAP_AUDIT_CONTROL", ++ "CAP_SETFCAP", ++ "CAP_MAC_OVERRIDE", ++ "CAP_MAC_ADMIN", ++ "CAP_SYSLOG", ++ "CAP_WAKE_ALARM", ++ "CAP_BLOCK_SUSPEND", ++ "CAP_AUDIT_READ", ++ "CAP_PERFMON", ++ "CAP_BPF", ++ "CAP_CHECKPOINT_RESTORE" ++ ], ++ "Effective": [ ++ "CAP_CHOWN", ++ "CAP_DAC_OVERRIDE", ++ "CAP_DAC_READ_SEARCH", ++ "CAP_FOWNER", ++ "CAP_FSETID", ++ "CAP_KILL", ++ "CAP_SETGID", ++ "CAP_SETUID", ++ "CAP_SETPCAP", ++ "CAP_LINUX_IMMUTABLE", ++ "CAP_NET_BIND_SERVICE", ++ "CAP_NET_BROADCAST", ++ "CAP_NET_ADMIN", ++ "CAP_NET_RAW", ++ "CAP_IPC_LOCK", ++ "CAP_IPC_OWNER", ++ "CAP_SYS_MODULE", ++ "CAP_SYS_RAWIO", ++ "CAP_SYS_CHROOT", ++ "CAP_SYS_PTRACE", ++ "CAP_SYS_PACCT", ++ "CAP_SYS_ADMIN", ++ "CAP_SYS_BOOT", ++ "CAP_SYS_NICE", ++ "CAP_SYS_RESOURCE", ++ "CAP_SYS_TIME", ++ "CAP_SYS_TTY_CONFIG", ++ "CAP_MKNOD", ++ "CAP_LEASE", ++ "CAP_AUDIT_WRITE", ++ "CAP_AUDIT_CONTROL", ++ "CAP_SETFCAP", ++ "CAP_MAC_OVERRIDE", ++ "CAP_MAC_ADMIN", ++ "CAP_SYSLOG", ++ "CAP_WAKE_ALARM", ++ "CAP_BLOCK_SUSPEND", ++ "CAP_AUDIT_READ", ++ "CAP_PERFMON", ++ "CAP_BPF", ++ "CAP_CHECKPOINT_RESTORE" ++ ], ++ "Inheritable": [], ++ "Permitted": [ ++ "CAP_CHOWN", ++ "CAP_DAC_OVERRIDE", ++ "CAP_DAC_READ_SEARCH", ++ "CAP_FOWNER", ++ "CAP_FSETID", ++ "CAP_KILL", ++ "CAP_SETGID", ++ "CAP_SETUID", ++ "CAP_SETPCAP", ++ "CAP_LINUX_IMMUTABLE", ++ "CAP_NET_BIND_SERVICE", ++ "CAP_NET_BROADCAST", ++ "CAP_NET_ADMIN", ++ "CAP_NET_RAW", ++ "CAP_IPC_LOCK", ++ "CAP_IPC_OWNER", ++ "CAP_SYS_MODULE", ++ "CAP_SYS_RAWIO", ++ "CAP_SYS_CHROOT", ++ "CAP_SYS_PTRACE", ++ "CAP_SYS_PACCT", ++ "CAP_SYS_ADMIN", ++ "CAP_SYS_BOOT", ++ "CAP_SYS_NICE", ++ "CAP_SYS_RESOURCE", ++ "CAP_SYS_TIME", ++ "CAP_SYS_TTY_CONFIG", ++ "CAP_MKNOD", ++ "CAP_LEASE", ++ "CAP_AUDIT_WRITE", ++ "CAP_AUDIT_CONTROL", ++ "CAP_SETFCAP", ++ "CAP_MAC_OVERRIDE", ++ "CAP_MAC_ADMIN", ++ "CAP_SYSLOG", ++ "CAP_WAKE_ALARM", ++ "CAP_BLOCK_SUSPEND", ++ "CAP_AUDIT_READ", ++ "CAP_PERFMON", ++ "CAP_BPF", ++ "CAP_CHECKPOINT_RESTORE" ++ ], ++ "Ambient": [] ++ }, ++ "Rlimits": [], ++ "NoNewPrivileges": false, ++ "ApparmorProfile": "", ++ "OOMScoreAdj": 1000, ++ "SelinuxLabel": "" ++ }, ++ "Root": { ++ "Path": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef/rootfs", ++ "Readonly": false ++ }, ++ "Hostname": "", ++ "Mounts": [ ++ { ++ "destination": "/proc", ++ "source": "proc", ++ "type_": "proc", ++ "options": [ ++ "nosuid", ++ "noexec", ++ "nodev" ++ ] ++ }, ++ { ++ "destination": "/dev", ++ "source": "tmpfs", ++ "type_": "tmpfs", ++ "options": [ ++ "nosuid", ++ "strictatime", ++ "mode=755", ++ "size=65536k" ++ ] ++ }, ++ { ++ "destination": "/dev/pts", ++ "source": "devpts", ++ "type_": "devpts", ++ "options": [ ++ "nosuid", ++ "noexec", ++ "newinstance", ++ "ptmxmode=0666", ++ "mode=0620", ++ "gid=5" ++ ] ++ }, ++ { ++ "destination": "/dev/mqueue", ++ "source": "mqueue", ++ "type_": "mqueue", ++ "options": [ ++ "nosuid", ++ "noexec", ++ "nodev" ++ ] ++ }, ++ { ++ "destination": "/sys", ++ "source": "sysfs", ++ "type_": "sysfs", ++ "options": [ ++ "nosuid", ++ "noexec", ++ "nodev", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/sys/fs/cgroup", ++ "source": "cgroup", ++ "type_": "cgroup", ++ "options": [ ++ "nosuid", ++ "noexec", ++ "nodev", ++ "relatime", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/etc/hosts", ++ "source": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef-1c1110e20d0b18aa-hosts", ++ "type_": "bind", ++ "options": [ ++ "rbind", ++ "rprivate", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/dev/termination-log", ++ "source": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef-270be95ff930824e-termination-log", ++ "type_": "bind", ++ "options": [ ++ "rbind", ++ "rprivate", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/etc/hostname", ++ "source": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef-b6820112604db404-hostname", ++ "type_": "bind", ++ "options": [ ++ "rbind", ++ "rprivate", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/etc/resolv.conf", ++ "source": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef-bee08cb8d9985c0a-resolv.conf", ++ "type_": "bind", ++ "options": [ ++ "rbind", ++ "rprivate", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/dev/shm", ++ "source": "/run/kata-containers/sandbox/shm", ++ "type_": "bind", ++ "options": [ ++ "rbind" ++ ] ++ }, ++ { ++ "destination": "/var/run/secrets/kubernetes.io/serviceaccount", ++ "source": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef-03db333c5a68a8c7-serviceaccount", ++ "type_": "bind", ++ "options": [ ++ "rbind", ++ "rprivate", ++ "ro" ++ ] ++ } ++ ], ++ "Hooks": null, ++ "Annotations": { ++ "io.katacontainers.pkg.oci.container_type": "pod_container", ++ "io.kubernetes.cri.sandbox-uid": "409eab9f-b794-48b6-9424-ae53bc5d65ba", ++ "io.kubernetes.cri.container-type": "container", ++ "io.kubernetes.cri.container-name": "dummy-ctr", ++ "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", ++ "io.kubernetes.cri.sandbox-id": "0000000000000000000000000000000000000000000000000000000000000001", ++ "io.kubernetes.cri.sandbox-namespace": "default", ++ "io.kubernetes.cri.sandbox-name": "dummy", ++ "io.kubernetes.cri.image-name": "registry.k8s.io/pause:3.6@sha256:3d380ca8864549e74af4b29c10f9cb0956236dfb01c40ca076fb6c37253234db" ++ }, ++ "Linux": { ++ "UIDMappings": [], ++ "GIDMappings": [], ++ "Sysctl": {}, ++ "Resources": { ++ "Devices": [], ++ "Memory": { ++ "Limit": 0, ++ "Reservation": 0, ++ "Swap": 0, ++ "Kernel": 0, ++ "KernelTCP": 0, ++ "Swappiness": 0, ++ "DisableOOMKiller": false ++ }, ++ "CPU": { ++ "Shares": 2, ++ "Quota": 0, ++ "Period": 100000, ++ "RealtimeRuntime": 0, ++ "RealtimePeriod": 0, ++ "Cpus": "", ++ "Mems": "" ++ }, ++ "Pids": null, ++ "BlockIO": null, ++ "HugepageLimits": [], ++ "Network": null ++ }, ++ "CgroupsPath": "kubepods-besteffort-pod409eab9f_b794_48b6_9424_ae53bc5d65ba.slice:cri-containerd:deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", ++ "Namespaces": [ ++ { ++ "Type": "ipc", ++ "Path": "" ++ }, ++ { ++ "Type": "uts", ++ "Path": "" ++ }, ++ { ++ "Type": "mount", ++ "Path": "" ++ } ++ ], ++ "Devices": [], ++ "Seccomp": null, ++ "RootfsPropagation": "", ++ "MaskedPaths": [], ++ "ReadonlyPaths": [], ++ "MountLabel": "", ++ "IntelRdt": null ++ }, ++ "Solaris": null, ++ "Windows": null ++ }, ++ "sandbox_pidns": false, ++ "shared_mounts": [], ++ "stdin_port": 0, ++ "stdout_port": 0, ++ "stderr_port": 0 ++ } ++ }, ++ { ++ "description": "image without digest", ++ "allowed": false, ++ "request": { ++ "container_id": "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", ++ "exec_id": "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", ++ "string_user": null, ++ "devices": [], ++ "storages": [ ++ { ++ "driver": "image_guest_pull", ++ "driver_options": [ ++ "image_guest_pull={\"metadata\":{\"io.katacontainers.pkg.oci.bundle_path\":\"/run/containerd/io.containerd.runtime.v2.task/k8s.io/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef\",\"io.katacontainers.pkg.oci.container_type\":\"pod_container\",\"io.kubernetes.cri.container-name\":\"reader\",\"io.kubernetes.cri.container-type\":\"container\",\"io.kubernetes.cri.image-name\":\"registry.k8s.io/pause:3.6\",\"io.kubernetes.cri.sandbox-id\":\"0000000000000000000000000000000000000000000000000000000000000001\",\"io.kubernetes.cri.sandbox-name\":\"dummy\",\"io.kubernetes.cri.sandbox-namespace\":\"default\",\"io.kubernetes.cri.sandbox-uid\":\"409eab9f-b794-48b6-9424-ae53bc5d65ba\"}}" ++ ], ++ "source": "registry.k8s.io/pause:3.6", ++ "fstype": "overlay", ++ "options": [], ++ "mount_point": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef/rootfs", ++ "fs_group": null ++ } ++ ], ++ "OCI": { ++ "Version": "1.1.0", ++ "Process": { ++ "Terminal": false, ++ "ConsoleSize": null, ++ "User": { ++ "UID": 0, ++ "GID": 0, ++ "AdditionalGids": [ ++ 0, ++ 1, ++ 2, ++ 3, ++ 4, ++ 6, ++ 10, ++ 11, ++ 20, ++ 26, ++ 27 ++ ], ++ "Username": "" ++ }, ++ "Args": [ ++ "/pause" ++ ], ++ "Env": [ ++ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", ++ "HOSTNAME=dummy", ++ "KUBERNETES_PORT_443_TCP_PROTO=tcp", ++ "KUBERNETES_PORT_443_TCP_PORT=443", ++ "KUBERNETES_PORT_443_TCP_ADDR=10.43.0.1", ++ "KUBERNETES_SERVICE_HOST=10.43.0.1", ++ "KUBERNETES_SERVICE_PORT=443", ++ "KUBERNETES_SERVICE_PORT_HTTPS=443", ++ "KUBERNETES_PORT=tcp://10.43.0.1:443", ++ "KUBERNETES_PORT_443_TCP=tcp://10.43.0.1:443" ++ ], ++ "Cwd": "/", ++ "Capabilities": { ++ "Bounding": [ ++ "CAP_CHOWN", ++ "CAP_DAC_OVERRIDE", ++ "CAP_DAC_READ_SEARCH", ++ "CAP_FOWNER", ++ "CAP_FSETID", ++ "CAP_KILL", ++ "CAP_SETGID", ++ "CAP_SETUID", ++ "CAP_SETPCAP", ++ "CAP_LINUX_IMMUTABLE", ++ "CAP_NET_BIND_SERVICE", ++ "CAP_NET_BROADCAST", ++ "CAP_NET_ADMIN", ++ "CAP_NET_RAW", ++ "CAP_IPC_LOCK", ++ "CAP_IPC_OWNER", ++ "CAP_SYS_MODULE", ++ "CAP_SYS_RAWIO", ++ "CAP_SYS_CHROOT", ++ "CAP_SYS_PTRACE", ++ "CAP_SYS_PACCT", ++ "CAP_SYS_ADMIN", ++ "CAP_SYS_BOOT", ++ "CAP_SYS_NICE", ++ "CAP_SYS_RESOURCE", ++ "CAP_SYS_TIME", ++ "CAP_SYS_TTY_CONFIG", ++ "CAP_MKNOD", ++ "CAP_LEASE", ++ "CAP_AUDIT_WRITE", ++ "CAP_AUDIT_CONTROL", ++ "CAP_SETFCAP", ++ "CAP_MAC_OVERRIDE", ++ "CAP_MAC_ADMIN", ++ "CAP_SYSLOG", ++ "CAP_WAKE_ALARM", ++ "CAP_BLOCK_SUSPEND", ++ "CAP_AUDIT_READ", ++ "CAP_PERFMON", ++ "CAP_BPF", ++ "CAP_CHECKPOINT_RESTORE" ++ ], ++ "Effective": [ ++ "CAP_CHOWN", ++ "CAP_DAC_OVERRIDE", ++ "CAP_DAC_READ_SEARCH", ++ "CAP_FOWNER", ++ "CAP_FSETID", ++ "CAP_KILL", ++ "CAP_SETGID", ++ "CAP_SETUID", ++ "CAP_SETPCAP", ++ "CAP_LINUX_IMMUTABLE", ++ "CAP_NET_BIND_SERVICE", ++ "CAP_NET_BROADCAST", ++ "CAP_NET_ADMIN", ++ "CAP_NET_RAW", ++ "CAP_IPC_LOCK", ++ "CAP_IPC_OWNER", ++ "CAP_SYS_MODULE", ++ "CAP_SYS_RAWIO", ++ "CAP_SYS_CHROOT", ++ "CAP_SYS_PTRACE", ++ "CAP_SYS_PACCT", ++ "CAP_SYS_ADMIN", ++ "CAP_SYS_BOOT", ++ "CAP_SYS_NICE", ++ "CAP_SYS_RESOURCE", ++ "CAP_SYS_TIME", ++ "CAP_SYS_TTY_CONFIG", ++ "CAP_MKNOD", ++ "CAP_LEASE", ++ "CAP_AUDIT_WRITE", ++ "CAP_AUDIT_CONTROL", ++ "CAP_SETFCAP", ++ "CAP_MAC_OVERRIDE", ++ "CAP_MAC_ADMIN", ++ "CAP_SYSLOG", ++ "CAP_WAKE_ALARM", ++ "CAP_BLOCK_SUSPEND", ++ "CAP_AUDIT_READ", ++ "CAP_PERFMON", ++ "CAP_BPF", ++ "CAP_CHECKPOINT_RESTORE" ++ ], ++ "Inheritable": [], ++ "Permitted": [ ++ "CAP_CHOWN", ++ "CAP_DAC_OVERRIDE", ++ "CAP_DAC_READ_SEARCH", ++ "CAP_FOWNER", ++ "CAP_FSETID", ++ "CAP_KILL", ++ "CAP_SETGID", ++ "CAP_SETUID", ++ "CAP_SETPCAP", ++ "CAP_LINUX_IMMUTABLE", ++ "CAP_NET_BIND_SERVICE", ++ "CAP_NET_BROADCAST", ++ "CAP_NET_ADMIN", ++ "CAP_NET_RAW", ++ "CAP_IPC_LOCK", ++ "CAP_IPC_OWNER", ++ "CAP_SYS_MODULE", ++ "CAP_SYS_RAWIO", ++ "CAP_SYS_CHROOT", ++ "CAP_SYS_PTRACE", ++ "CAP_SYS_PACCT", ++ "CAP_SYS_ADMIN", ++ "CAP_SYS_BOOT", ++ "CAP_SYS_NICE", ++ "CAP_SYS_RESOURCE", ++ "CAP_SYS_TIME", ++ "CAP_SYS_TTY_CONFIG", ++ "CAP_MKNOD", ++ "CAP_LEASE", ++ "CAP_AUDIT_WRITE", ++ "CAP_AUDIT_CONTROL", ++ "CAP_SETFCAP", ++ "CAP_MAC_OVERRIDE", ++ "CAP_MAC_ADMIN", ++ "CAP_SYSLOG", ++ "CAP_WAKE_ALARM", ++ "CAP_BLOCK_SUSPEND", ++ "CAP_AUDIT_READ", ++ "CAP_PERFMON", ++ "CAP_BPF", ++ "CAP_CHECKPOINT_RESTORE" ++ ], ++ "Ambient": [] ++ }, ++ "Rlimits": [], ++ "NoNewPrivileges": false, ++ "ApparmorProfile": "", ++ "OOMScoreAdj": 1000, ++ "SelinuxLabel": "" ++ }, ++ "Root": { ++ "Path": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef/rootfs", ++ "Readonly": false ++ }, ++ "Hostname": "", ++ "Mounts": [ ++ { ++ "destination": "/proc", ++ "source": "proc", ++ "type_": "proc", ++ "options": [ ++ "nosuid", ++ "noexec", ++ "nodev" ++ ] ++ }, ++ { ++ "destination": "/dev", ++ "source": "tmpfs", ++ "type_": "tmpfs", ++ "options": [ ++ "nosuid", ++ "strictatime", ++ "mode=755", ++ "size=65536k" ++ ] ++ }, ++ { ++ "destination": "/dev/pts", ++ "source": "devpts", ++ "type_": "devpts", ++ "options": [ ++ "nosuid", ++ "noexec", ++ "newinstance", ++ "ptmxmode=0666", ++ "mode=0620", ++ "gid=5" ++ ] ++ }, ++ { ++ "destination": "/dev/mqueue", ++ "source": "mqueue", ++ "type_": "mqueue", ++ "options": [ ++ "nosuid", ++ "noexec", ++ "nodev" ++ ] ++ }, ++ { ++ "destination": "/sys", ++ "source": "sysfs", ++ "type_": "sysfs", ++ "options": [ ++ "nosuid", ++ "noexec", ++ "nodev", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/sys/fs/cgroup", ++ "source": "cgroup", ++ "type_": "cgroup", ++ "options": [ ++ "nosuid", ++ "noexec", ++ "nodev", ++ "relatime", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/etc/hosts", ++ "source": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef-1c1110e20d0b18aa-hosts", ++ "type_": "bind", ++ "options": [ ++ "rbind", ++ "rprivate", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/dev/termination-log", ++ "source": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef-270be95ff930824e-termination-log", ++ "type_": "bind", ++ "options": [ ++ "rbind", ++ "rprivate", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/etc/hostname", ++ "source": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef-b6820112604db404-hostname", ++ "type_": "bind", ++ "options": [ ++ "rbind", ++ "rprivate", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/etc/resolv.conf", ++ "source": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef-bee08cb8d9985c0a-resolv.conf", ++ "type_": "bind", ++ "options": [ ++ "rbind", ++ "rprivate", ++ "rw" ++ ] ++ }, ++ { ++ "destination": "/dev/shm", ++ "source": "/run/kata-containers/sandbox/shm", ++ "type_": "bind", ++ "options": [ ++ "rbind" ++ ] ++ }, ++ { ++ "destination": "/var/run/secrets/kubernetes.io/serviceaccount", ++ "source": "/run/kata-containers/shared/containers/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef-03db333c5a68a8c7-serviceaccount", ++ "type_": "bind", ++ "options": [ ++ "rbind", ++ "rprivate", ++ "ro" ++ ] ++ } ++ ], ++ "Hooks": null, ++ "Annotations": { ++ "io.katacontainers.pkg.oci.container_type": "pod_container", ++ "io.kubernetes.cri.sandbox-uid": "409eab9f-b794-48b6-9424-ae53bc5d65ba", ++ "io.kubernetes.cri.container-type": "container", ++ "io.kubernetes.cri.container-name": "dummy-ctr", ++ "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", ++ "io.kubernetes.cri.sandbox-id": "0000000000000000000000000000000000000000000000000000000000000001", ++ "io.kubernetes.cri.sandbox-namespace": "default", ++ "io.kubernetes.cri.sandbox-name": "dummy", ++ "io.kubernetes.cri.image-name": "registry.k8s.io/pause:3.6@sha256:3d380ca8864549e74af4b29c10f9cb0956236dfb01c40ca076fb6c37253234db" ++ }, ++ "Linux": { ++ "UIDMappings": [], ++ "GIDMappings": [], ++ "Sysctl": {}, ++ "Resources": { ++ "Devices": [], ++ "Memory": { ++ "Limit": 0, ++ "Reservation": 0, ++ "Swap": 0, ++ "Kernel": 0, ++ "KernelTCP": 0, ++ "Swappiness": 0, ++ "DisableOOMKiller": false ++ }, ++ "CPU": { ++ "Shares": 2, ++ "Quota": 0, ++ "Period": 100000, ++ "RealtimeRuntime": 0, ++ "RealtimePeriod": 0, ++ "Cpus": "", ++ "Mems": "" ++ }, ++ "Pids": null, ++ "BlockIO": null, ++ "HugepageLimits": [], ++ "Network": null ++ }, ++ "CgroupsPath": "kubepods-besteffort-pod409eab9f_b794_48b6_9424_ae53bc5d65ba.slice:cri-containerd:deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef", ++ "Namespaces": [ ++ { ++ "Type": "ipc", ++ "Path": "" ++ }, ++ { ++ "Type": "uts", ++ "Path": "" ++ }, ++ { ++ "Type": "mount", ++ "Path": "" ++ } ++ ], ++ "Devices": [], ++ "Seccomp": null, ++ "RootfsPropagation": "", ++ "MaskedPaths": [], ++ "ReadonlyPaths": [], ++ "MountLabel": "", ++ "IntelRdt": null ++ }, ++ "Solaris": null, ++ "Windows": null ++ }, ++ "sandbox_pidns": false, ++ "shared_mounts": [], ++ "stdin_port": 0, ++ "stdout_port": 0, ++ "stderr_port": 0 ++ } ++ } ++] +-- +2.46.0 + diff --git a/packages/by-name/kata/kata-runtime/package.nix b/packages/by-name/kata/kata-runtime/package.nix index 83fa40731a..826690a0b5 100644 --- a/packages/by-name/kata/kata-runtime/package.nix +++ b/packages/by-name/kata/kata-runtime/package.nix @@ -40,6 +40,38 @@ buildGoModule rec { # sticking with the policy verification from AKS CoCo. ./0003-runtime-agent-verify-the-agent-policy-hash.patch ./0004-virtcontainers-allow-specifying-nydus-overlayfs-bina.patch + + # + # Patch set to enable policy support for bare metal with Nydus guest pull. + # + + # Backport of https://github.com/kata-containers/kata-containers/pull/9911. + # TODO(burgerdev): remove after upgrading to Kata 3.9 + ./0005-genpolicy-deny-UpdateEphemeralMountsRequest.patch + # Cherry-pick from https://github.com/microsoft/kata-containers/pull/139/commits/e4465090e693807d6ccc044344ad44789acda3e2, + # fixes https://github.com/kata-containers/kata-containers/issues/10046. + # Currently not possible to backport because it would break integration testing with virtiofs. + ./0006-genpolicy-validate-create-sandbox-storages.patch + # Fixes https://github.com/kata-containers/kata-containers/issues/10064. + # TODO(burgerdev): backport + ./0007-genpolicy-enable-sysctl-checks.patch + # Fixes https://github.com/kata-containers/kata-containers/issues/10065. + # TODO(burgerdev): backport + ./0008-genpolicy-read-bundle-id-from-rootfs.patch + # Contrast specific layer-src-prefix, also applied to microsoft.kata-runtime. + # TODO(burgerdev): discuss relaxing the checks for host paths with Kata maintainers. + ./0009-genpolicy-regex-check-contrast-specific-layer-src-pr.patch + # Kata hard-codes OCI version 1.1.0, but latest K3S has 1.2.0. + # TODO(burgerdev): discuss relaxing the OCI version checks with Kata maintainers. + # TODO(burgerdev): move to genpolicy-settings patches + ./0010-genpolicy-settings-bump-OCI-version.patch + # Nydus uses a different base dir for container rootfs, + # see https://github.com/kata-containers/kata-containers/blob/775f6bd/tests/integration/kubernetes/tests_common.sh#L139. + # TODO(burgerdev): discuss the discrepancy and path forward with Kata maintainers. + ./0011-genpolicy-settings-change-cpath-for-Nydus-guest-pull.patch + # Implements ideas from https://github.com/kata-containers/kata-containers/issues/10088. + # TODO(burgerdev): backport + ./0012-genpolicy-allow-image_guest_pull.patch ]; }; From a8cb01bb3083c0bfda5702d702ed83b243220cdd Mon Sep 17 00:00:00 2001 From: Paul Meyer <49727155+katexochen@users.noreply.github.com> Date: Wed, 4 Sep 2024 14:49:19 +0200 Subject: [PATCH 2/4] contrast: use kata-specific rules for bare-metal platforms Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> --- ...olicy-rules.rego => genpolicy-rules-kata.rego} | 0 .../assets/genpolicy-rules-microsoft.rego | 1 + cli/genpolicy/config.go | 15 +++++++-------- packages/by-name/cli-release/package.nix | 13 ++----------- packages/by-name/contrast/package.nix | 14 +++++++++----- 5 files changed, 19 insertions(+), 24 deletions(-) rename cli/genpolicy/assets/{genpolicy-rules.rego => genpolicy-rules-kata.rego} (100%) mode change 100755 => 100644 create mode 100755 cli/genpolicy/assets/genpolicy-rules-microsoft.rego diff --git a/cli/genpolicy/assets/genpolicy-rules.rego b/cli/genpolicy/assets/genpolicy-rules-kata.rego old mode 100755 new mode 100644 similarity index 100% rename from cli/genpolicy/assets/genpolicy-rules.rego rename to cli/genpolicy/assets/genpolicy-rules-kata.rego diff --git a/cli/genpolicy/assets/genpolicy-rules-microsoft.rego b/cli/genpolicy/assets/genpolicy-rules-microsoft.rego new file mode 100755 index 0000000000..5c169759e7 --- /dev/null +++ b/cli/genpolicy/assets/genpolicy-rules-microsoft.rego @@ -0,0 +1 @@ +# THIS FILE IS REPLACED DURING BUILD AND ONLY HERE TO SATISFY GO TOOLING diff --git a/cli/genpolicy/config.go b/cli/genpolicy/config.go index f6004878b4..af63296493 100644 --- a/cli/genpolicy/config.go +++ b/cli/genpolicy/config.go @@ -14,10 +14,10 @@ var ( genpolicyBin []byte //go:embed assets/genpolicy-settings.json defaultGenpolicySettings []byte - //go:embed assets/genpolicy-rules.rego - aksCloudHypervisorSNPRules []byte - //go:embed assets/allow-all.rego - permissiveRules []byte + //go:embed assets/genpolicy-rules-microsoft.rego + aksRules []byte + //go:embed assets/genpolicy-rules-kata.rego + kataRules []byte ) // Config contains configuration files for genpolicy. @@ -35,10 +35,9 @@ func NewConfig(platform platforms.Platform) *Config { } switch platform { case platforms.AKSCloudHypervisorSNP: - cfg.Rules = aksCloudHypervisorSNPRules - default: - // TODO(burgerdev): use real rules for supported platforms. - cfg.Rules = permissiveRules + cfg.Rules = aksRules + case platforms.K3sQEMUSNP, platforms.K3sQEMUTDX, platforms.RKE2QEMUTDX: + cfg.Rules = kataRules } return cfg } diff --git a/packages/by-name/cli-release/package.nix b/packages/by-name/cli-release/package.nix index c7100ab81c..34568e0db7 100644 --- a/packages/by-name/cli-release/package.nix +++ b/packages/by-name/cli-release/package.nix @@ -1,21 +1,12 @@ # Copyright 2024 Edgeless Systems GmbH # SPDX-License-Identifier: AGPL-3.0-only -{ - lib, - contrast, - microsoft, - genpolicy ? microsoft.genpolicy, -}: +{ contrast }: (contrast.overrideAttrs ( _finalAttrs: previousAttrs: { - prePatch = '' - install -D ${lib.getExe genpolicy} cli/genpolicy/assets/genpolicy + postPatch = '' install -D ${contrast.settings}/genpolicy-settings.json cli/genpolicy/assets/genpolicy-settings.json - install -D ${contrast.rules}/genpolicy-rules.rego cli/genpolicy/assets/genpolicy-rules.rego - # TODO(burgerdev): cli/genpolicy/assets/allow-all.rego is insecure and deliberately omitted - install -D ${contrast.embeddedReferenceValues} internal/manifest/assets/reference-values.json ''; ldflags = previousAttrs.ldflags ++ [ diff --git a/packages/by-name/contrast/package.nix b/packages/by-name/contrast/package.nix index 7a621f1cdd..752d49d912 100644 --- a/packages/by-name/contrast/package.nix +++ b/packages/by-name/contrast/package.nix @@ -20,6 +20,7 @@ let proxyVendor vendorHash prePatch + postPatch CGO_ENABLED ; pname = "${contrast.pname}-e2e"; @@ -176,16 +177,19 @@ buildGoModule rec { prePatch = '' install -D ${lib.getExe genpolicy} cli/genpolicy/assets/genpolicy - install -D ${genpolicy.settings-dev}/genpolicy-settings.json cli/genpolicy/assets/genpolicy-settings.json - install -D ${genpolicy.rules}/genpolicy-rules.rego cli/genpolicy/assets/genpolicy-rules.rego - install -D ${genpolicy.src}/src/kata-opa/allow-all.rego cli/genpolicy/assets/allow-all.rego + install -D ${microsoft.genpolicy.rules}/genpolicy-rules.rego cli/genpolicy/assets/genpolicy-rules-microsoft.rego + install -D ${kata.genpolicy.rules}/genpolicy-rules.rego cli/genpolicy/assets/genpolicy-rules-kata.rego install -D ${embeddedReferenceValues} internal/manifest/assets/reference-values.json ''; + # postPatch will be overwritten by the release-cli derivation, prePatch + postPatch = '' + install -D ${genpolicy.settings-dev}/genpolicy-settings.json cli/genpolicy/assets/genpolicy-settings.json + ''; + CGO_ENABLED = 0; ldflags = [ "-s" - "-w" "-X github.com/edgelesssys/contrast/internal/constants.Version=${version}" "-X github.com/edgelesssys/contrast/internal/constants.MicrosoftGenpolicyVersion=${genpolicy.version}" "-X github.com/edgelesssys/contrast/internal/constants.KataGenpolicyVersion=${kata.genpolicy.version}" @@ -228,7 +232,7 @@ buildGoModule rec { passthru = { inherit e2e embeddedReferenceValues; - inherit (genpolicy) settings rules; + inherit (genpolicy) settings; }; meta.mainProgram = "contrast"; From 9ec72afa4ebdbadb7dac089711004a7d0737453d Mon Sep 17 00:00:00 2001 From: Paul Meyer <49727155+katexochen@users.noreply.github.com> Date: Wed, 4 Sep 2024 20:05:30 +0200 Subject: [PATCH 3/4] contrast: use kata-specific settings for bare-metal platforms Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> --- ...ings.json => genpolicy-settings-kata.json} | 0 .../assets/genpolicy-settings-microsoft.json | 1 + cli/genpolicy/config.go | 22 ++++--- packages/by-name/cli-release/package.nix | 9 ++- packages/by-name/contrast/package.nix | 6 +- .../genpolicy_rules_coordinator.patch | 15 +++++ .../genpolicy_settings_coordinator.patch | 14 +++++ .../genpolicy/genpolicy_settings_dev.patch | 31 ++++++++++ packages/by-name/kata/genpolicy/package.nix | 62 ++++++++++++++----- 9 files changed, 132 insertions(+), 28 deletions(-) rename cli/genpolicy/assets/{genpolicy-settings.json => genpolicy-settings-kata.json} (100%) create mode 100755 cli/genpolicy/assets/genpolicy-settings-microsoft.json create mode 100644 packages/by-name/kata/genpolicy/genpolicy_rules_coordinator.patch create mode 100644 packages/by-name/kata/genpolicy/genpolicy_settings_coordinator.patch create mode 100644 packages/by-name/kata/genpolicy/genpolicy_settings_dev.patch diff --git a/cli/genpolicy/assets/genpolicy-settings.json b/cli/genpolicy/assets/genpolicy-settings-kata.json similarity index 100% rename from cli/genpolicy/assets/genpolicy-settings.json rename to cli/genpolicy/assets/genpolicy-settings-kata.json diff --git a/cli/genpolicy/assets/genpolicy-settings-microsoft.json b/cli/genpolicy/assets/genpolicy-settings-microsoft.json new file mode 100755 index 0000000000..eda2960cec --- /dev/null +++ b/cli/genpolicy/assets/genpolicy-settings-microsoft.json @@ -0,0 +1 @@ +"THIS FILE IS REPLACED DURING BUILD AND ONLY HERE TO SATISFY GO TOOLING" diff --git a/cli/genpolicy/config.go b/cli/genpolicy/config.go index af63296493..d8e5c8922c 100644 --- a/cli/genpolicy/config.go +++ b/cli/genpolicy/config.go @@ -12,8 +12,10 @@ import ( var ( //go:embed assets/genpolicy genpolicyBin []byte - //go:embed assets/genpolicy-settings.json - defaultGenpolicySettings []byte + //go:embed assets/genpolicy-settings-microsoft.json + aksSettings []byte + //go:embed assets/genpolicy-settings-kata.json + kataSettings []byte //go:embed assets/genpolicy-rules-microsoft.rego aksRules []byte //go:embed assets/genpolicy-rules-kata.rego @@ -30,14 +32,18 @@ type Config struct { // NewConfig selects the appropriate genpolicy configuration for the target platform. func NewConfig(platform platforms.Platform) *Config { - cfg := &Config{ - Settings: defaultGenpolicySettings, - } switch platform { case platforms.AKSCloudHypervisorSNP: - cfg.Rules = aksRules + return &Config{ + Rules: aksRules, + Settings: aksSettings, + } case platforms.K3sQEMUSNP, platforms.K3sQEMUTDX, platforms.RKE2QEMUTDX: - cfg.Rules = kataRules + return &Config{ + Rules: kataRules, + Settings: kataSettings, + } + default: + return nil } - return cfg } diff --git a/packages/by-name/cli-release/package.nix b/packages/by-name/cli-release/package.nix index 34568e0db7..1078fc036b 100644 --- a/packages/by-name/cli-release/package.nix +++ b/packages/by-name/cli-release/package.nix @@ -1,12 +1,17 @@ # Copyright 2024 Edgeless Systems GmbH # SPDX-License-Identifier: AGPL-3.0-only -{ contrast }: +{ + contrast, + kata, + microsoft, +}: (contrast.overrideAttrs ( _finalAttrs: previousAttrs: { postPatch = '' - install -D ${contrast.settings}/genpolicy-settings.json cli/genpolicy/assets/genpolicy-settings.json + install -D ${microsoft.genpolicy.settings}/genpolicy-settings.json cli/genpolicy/assets/genpolicy-settings-microsoft.json + install -D ${kata.genpolicy.settings}/genpolicy-settings.json cli/genpolicy/assets/genpolicy-settings-kata.json ''; ldflags = previousAttrs.ldflags ++ [ diff --git a/packages/by-name/contrast/package.nix b/packages/by-name/contrast/package.nix index 752d49d912..3344fad114 100644 --- a/packages/by-name/contrast/package.nix +++ b/packages/by-name/contrast/package.nix @@ -184,14 +184,15 @@ buildGoModule rec { # postPatch will be overwritten by the release-cli derivation, prePatch postPatch = '' - install -D ${genpolicy.settings-dev}/genpolicy-settings.json cli/genpolicy/assets/genpolicy-settings.json + install -D ${microsoft.genpolicy.settings-dev}/genpolicy-settings.json cli/genpolicy/assets/genpolicy-settings-microsoft.json + install -D ${kata.genpolicy.settings-dev}/genpolicy-settings.json cli/genpolicy/assets/genpolicy-settings-kata.json ''; CGO_ENABLED = 0; ldflags = [ "-s" "-X github.com/edgelesssys/contrast/internal/constants.Version=${version}" - "-X github.com/edgelesssys/contrast/internal/constants.MicrosoftGenpolicyVersion=${genpolicy.version}" + "-X github.com/edgelesssys/contrast/internal/constants.MicrosoftGenpolicyVersion=${microsoft.genpolicy.version}" "-X github.com/edgelesssys/contrast/internal/constants.KataGenpolicyVersion=${kata.genpolicy.version}" ]; @@ -232,7 +233,6 @@ buildGoModule rec { passthru = { inherit e2e embeddedReferenceValues; - inherit (genpolicy) settings; }; meta.mainProgram = "contrast"; diff --git a/packages/by-name/kata/genpolicy/genpolicy_rules_coordinator.patch b/packages/by-name/kata/genpolicy/genpolicy_rules_coordinator.patch new file mode 100644 index 0000000000..4dba9fa5e2 --- /dev/null +++ b/packages/by-name/kata/genpolicy/genpolicy_rules_coordinator.patch @@ -0,0 +1,15 @@ +diff --git a/genpolicy-rules.rego b/genpolicy-rules.rego +index c3eb334..a796740 100644 +--- a/genpolicy-rules.rego ++++ b/genpolicy-rules.rego +@@ -164,9 +164,9 @@ allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, s_name) { + p_namespace := p_oci.Annotations[s_namespace] + i_namespace := i_oci.Annotations[s_namespace] + print("allow_by_sandbox_name: p_namespace =", p_namespace, "i_namespace =", i_namespace) +- p_namespace == i_namespace ++ regex.match("^[a-z0-9-]{1,63}$", i_namespace) + +- allow_by_container_types(p_oci, i_oci, s_name, p_namespace) ++ allow_by_container_types(p_oci, i_oci, s_name, i_namespace) + allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) + allow_process(p_oci, i_oci, s_name) diff --git a/packages/by-name/kata/genpolicy/genpolicy_settings_coordinator.patch b/packages/by-name/kata/genpolicy/genpolicy_settings_coordinator.patch new file mode 100644 index 0000000000..8dad8871cf --- /dev/null +++ b/packages/by-name/kata/genpolicy/genpolicy_settings_coordinator.patch @@ -0,0 +1,14 @@ +diff --git a/genpolicy-settings.json b/genpolicy-settings.json +index 4e9f6481d..7d0356b90 100644 +--- a/genpolicy-settings.json ++++ b/genpolicy-settings.json +@@ -333,7 +333,8 @@ + "^AZURE_CLIENT_ID=[A-Fa-f0-9-]*$", + "^AZURE_TENANT_ID=[A-Fa-f0-9-]*$", + "^AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token$", +- "^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$" ++ "^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$", ++ "^CONTRAST_[A-Z0-9_]*=.*$" + ] + }, + "CopyFileRequest": [ diff --git a/packages/by-name/kata/genpolicy/genpolicy_settings_dev.patch b/packages/by-name/kata/genpolicy/genpolicy_settings_dev.patch new file mode 100644 index 0000000000..b8830e75dd --- /dev/null +++ b/packages/by-name/kata/genpolicy/genpolicy_settings_dev.patch @@ -0,0 +1,31 @@ +diff --git a/genpolicy-settings.json b/genpolicy-settings.json +index 4e9f6481d..64f16a760 100644 +--- a/genpolicy-settings.json ++++ b/genpolicy-settings.json +@@ -333,7 +333,8 @@ + "^AZURE_CLIENT_ID=[A-Fa-f0-9-]*$", + "^AZURE_TENANT_ID=[A-Fa-f0-9-]*$", + "^AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token$", +- "^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$" ++ "^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$", ++ "^CONTRAST_[A-Z0-9_]*=.*$" + ] + }, + "CopyFileRequest": [ +@@ -341,11 +342,13 @@ + ], + "ExecProcessRequest": { + "allowed_commands": [], +- "regex": [] ++ "regex": [ ++ ".*" ++ ] + }, + "CloseStdinRequest": false, +- "ReadStreamRequest": false, ++ "ReadStreamRequest": true, + "UpdateEphemeralMountsRequest": false, +- "WriteStreamRequest": false ++ "WriteStreamRequest": true + } + } diff --git a/packages/by-name/kata/genpolicy/package.nix b/packages/by-name/kata/genpolicy/package.nix index 03d62041a1..819e879ecf 100644 --- a/packages/by-name/kata/genpolicy/package.nix +++ b/packages/by-name/kata/genpolicy/package.nix @@ -3,7 +3,6 @@ { lib, - fetchurl, kata, rustPlatform, openssl, @@ -12,6 +11,8 @@ libiconv, zlib, cmake, + stdenvNoCC, + applyPatches, }: rustPlatform.buildRustPackage rec { @@ -59,24 +60,55 @@ rustPlatform.buildRustPackage rec { "--skip=test_create_container_process" ]; - passthru = { - settings = fetchurl { + passthru = rec { + settings-base = stdenvNoCC.mkDerivation { name = "${pname}-${version}-settings"; - url = "https://raw.githubusercontent.com/kata-containers/kata-containers/${version}/src/tools/genpolicy/genpolicy-settings.json"; - hash = "sha256-kalmW/gWMJIWUNk7IzA0l1saMFu8QYb1DXZ8cU/QSxs="; - downloadToTemp = true; - recursiveHash = true; - postFetch = "install -D $downloadedFile $out/genpolicy-settings.json"; + inherit src sourceRoot; + + phases = [ + "unpackPhase" + "patchPhase" + "installPhase" + ]; + installPhase = '' + runHook preInstall + install -D genpolicy-settings.json $out/genpolicy-settings.json + runHook postInstall + ''; }; - # TODO(freax13): use real rules. - rules = fetchurl { + settings = settings-base; + + settings-coordinator = applyPatches { + src = settings-base; + patches = [ ./genpolicy_settings_coordinator.patch ]; + }; + + # Settings that allow exec into CVM pods - not safe for production use! + settings-dev = applyPatches { + src = settings-base; + patches = [ ./genpolicy_settings_dev.patch ]; + }; + + rules = stdenvNoCC.mkDerivation { name = "${pname}-${version}-rules"; - url = "https://raw.githubusercontent.com/kata-containers/kata-containers/${version}/src/kata-opa/allow-all.rego"; - hash = "sha256-ubjA2RqoNurJphlH4wUNvdOxxtkvLlsaYfWsGYb9NLA="; - downloadToTemp = true; - recursiveHash = true; - postFetch = "install -D $downloadedFile $out/genpolicy-rules.rego"; + inherit src sourceRoot; + + phases = [ + "unpackPhase" + "patchPhase" + "installPhase" + ]; + installPhase = '' + runHook preInstall + install -D rules.rego $out/genpolicy-rules.rego + runHook postInstall + ''; + }; + + rules-coordinator = applyPatches { + src = rules; + patches = [ ./genpolicy_rules_coordinator.patch ]; }; }; From f2a96b4323ec585174173afdd3f4257fc7c1cdbe Mon Sep 17 00:00:00 2001 From: Paul Meyer <49727155+katexochen@users.noreply.github.com> Date: Wed, 4 Sep 2024 20:35:00 +0200 Subject: [PATCH 4/4] contrast: use kata-specific genpolicy binary for bare-metal platforms Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> --- cli/cmd/generate.go | 2 +- cli/genpolicy/assets/{genpolicy => genpolicy-kata} | 0 cli/genpolicy/assets/genpolicy-microsoft | 1 + cli/genpolicy/config.go | 10 ++++++++-- cli/genpolicy/genpolicy.go | 4 ++-- cli/genpolicy/genpolicy_test.go | 4 ++-- packages/by-name/contrast/package.nix | 4 ++-- 7 files changed, 16 insertions(+), 9 deletions(-) rename cli/genpolicy/assets/{genpolicy => genpolicy-kata} (100%) create mode 100644 cli/genpolicy/assets/genpolicy-microsoft diff --git a/cli/cmd/generate.go b/cli/cmd/generate.go index f0a8fbcaa3..17ba8083cb 100644 --- a/cli/cmd/generate.go +++ b/cli/cmd/generate.go @@ -251,7 +251,7 @@ func generatePolicies(ctx context.Context, flags *generateFlags, yamlPaths []str return fmt.Errorf("creating default policy.rego file: %w", err) } - runner, err := genpolicy.New(flags.policyPath, flags.settingsPath, flags.genpolicyCachePath) + runner, err := genpolicy.New(flags.policyPath, flags.settingsPath, flags.genpolicyCachePath, cfg.Bin) if err != nil { return fmt.Errorf("preparing genpolicy: %w", err) } diff --git a/cli/genpolicy/assets/genpolicy b/cli/genpolicy/assets/genpolicy-kata similarity index 100% rename from cli/genpolicy/assets/genpolicy rename to cli/genpolicy/assets/genpolicy-kata diff --git a/cli/genpolicy/assets/genpolicy-microsoft b/cli/genpolicy/assets/genpolicy-microsoft new file mode 100644 index 0000000000..5c169759e7 --- /dev/null +++ b/cli/genpolicy/assets/genpolicy-microsoft @@ -0,0 +1 @@ +# THIS FILE IS REPLACED DURING BUILD AND ONLY HERE TO SATISFY GO TOOLING diff --git a/cli/genpolicy/config.go b/cli/genpolicy/config.go index d8e5c8922c..19a5c07611 100644 --- a/cli/genpolicy/config.go +++ b/cli/genpolicy/config.go @@ -10,8 +10,10 @@ import ( ) var ( - //go:embed assets/genpolicy - genpolicyBin []byte + //go:embed assets/genpolicy-microsoft + aksGenpolicyBin []byte + //go:embed assets/genpolicy-kata + kataGenpolicyBin []byte //go:embed assets/genpolicy-settings-microsoft.json aksSettings []byte //go:embed assets/genpolicy-settings-kata.json @@ -28,6 +30,8 @@ type Config struct { Rules []byte // Settings is a json config file that holds platform-specific configuration. Settings []byte + // Bin is the genpolicy binary. + Bin []byte } // NewConfig selects the appropriate genpolicy configuration for the target platform. @@ -37,11 +41,13 @@ func NewConfig(platform platforms.Platform) *Config { return &Config{ Rules: aksRules, Settings: aksSettings, + Bin: aksGenpolicyBin, } case platforms.K3sQEMUSNP, platforms.K3sQEMUTDX, platforms.RKE2QEMUTDX: return &Config{ Rules: kataRules, Settings: kataSettings, + Bin: kataGenpolicyBin, } default: return nil diff --git a/cli/genpolicy/genpolicy.go b/cli/genpolicy/genpolicy.go index 787b436c18..8fd6cbc477 100644 --- a/cli/genpolicy/genpolicy.go +++ b/cli/genpolicy/genpolicy.go @@ -28,9 +28,9 @@ type Runner struct { } // New creates a new Runner for the given configuration. -func New(rulesPath, settingsPath, cachePath string) (*Runner, error) { +func New(rulesPath, settingsPath, cachePath string, bin []byte) (*Runner, error) { e := embedbin.New() - genpolicy, err := e.Install("", genpolicyBin) + genpolicy, err := e.Install("", bin) if err != nil { return nil, fmt.Errorf("installing genpolicy: %w", err) } diff --git a/cli/genpolicy/genpolicy_test.go b/cli/genpolicy/genpolicy_test.go index 4401f3eb8e..2d21888e0e 100644 --- a/cli/genpolicy/genpolicy_test.go +++ b/cli/genpolicy/genpolicy_test.go @@ -48,7 +48,7 @@ func TestRunner(t *testing.T) { logger := slog.Default() d := t.TempDir() - genpolicyBin = []byte(fmt.Sprintf(scriptTemplate, d)) + genpolicyBin := []byte(fmt.Sprintf(scriptTemplate, d)) expectedRulesPath := "/rules.rego" rulesPathFile := filepath.Join(d, "rules_path") @@ -58,7 +58,7 @@ func TestRunner(t *testing.T) { expectedYAMLPath := filepath.Join(d, "test.yaml") yamlPathFile := filepath.Join(d, "yaml_path") - r, err := New(expectedRulesPath, expectedSettingsPath, cachePath) + r, err := New(expectedRulesPath, expectedSettingsPath, cachePath, genpolicyBin) require.NoError(err) require.NoError(r.Run(ctx, expectedYAMLPath, logger)) diff --git a/packages/by-name/contrast/package.nix b/packages/by-name/contrast/package.nix index 3344fad114..d901a1475f 100644 --- a/packages/by-name/contrast/package.nix +++ b/packages/by-name/contrast/package.nix @@ -7,7 +7,6 @@ buildGoTest, microsoft, kata, - genpolicy ? microsoft.genpolicy, contrast, installShellFiles, }: @@ -176,7 +175,8 @@ buildGoModule rec { subPackages = packageOutputs ++ [ "internal/kuberesource/resourcegen" ]; prePatch = '' - install -D ${lib.getExe genpolicy} cli/genpolicy/assets/genpolicy + install -D ${lib.getExe microsoft.genpolicy} cli/genpolicy/assets/genpolicy-microsoft + install -D ${lib.getExe kata.genpolicy} cli/genpolicy/assets/genpolicy-kata install -D ${microsoft.genpolicy.rules}/genpolicy-rules.rego cli/genpolicy/assets/genpolicy-rules-microsoft.rego install -D ${kata.genpolicy.rules}/genpolicy-rules.rego cli/genpolicy/assets/genpolicy-rules-kata.rego install -D ${embeddedReferenceValues} internal/manifest/assets/reference-values.json