edgelesssys · burgerdev · Sep 23, 2024 · Sep 4, 2024 · Sep 4, 2024 · Sep 4, 2024
diff --git a/cli/cmd/generate.go b/cli/cmd/generate.go
@@ -251,7 +251,7 @@ func generatePolicies(ctx context.Context, flags *generateFlags, yamlPaths []str
 		return fmt.Errorf("creating default policy.rego file: %w", err)
 	}
 
-	runner, err := genpolicy.New(flags.policyPath, flags.settingsPath, flags.genpolicyCachePath)
+	runner, err := genpolicy.New(flags.policyPath, flags.settingsPath, flags.genpolicyCachePath, cfg.Bin)
 	if err != nil {
 		return fmt.Errorf("preparing genpolicy: %w", err)
 	}

diff --git a/cli/genpolicy/assets/genpolicy → cli/genpolicy/assets/genpolicy-kata b/cli/genpolicy/assets/genpolicy → cli/genpolicy/assets/genpolicy-kata
diff --git a/cli/genpolicy/assets/genpolicy-rules.rego → cli/genpolicy/assets/genpolicy-microsoft b/cli/genpolicy/assets/genpolicy-rules.rego → cli/genpolicy/assets/genpolicy-microsoft
diff --git a/cli/genpolicy/assets/genpolicy-rules-kata.rego b/cli/genpolicy/assets/genpolicy-rules-kata.rego
@@ -0,0 +1 @@
+# THIS FILE IS REPLACED DURING BUILD AND ONLY HERE TO SATISFY GO TOOLING
diff --git a/cli/genpolicy/assets/genpolicy-rules-microsoft.rego b/cli/genpolicy/assets/genpolicy-rules-microsoft.rego
@@ -0,0 +1 @@
+# THIS FILE IS REPLACED DURING BUILD AND ONLY HERE TO SATISFY GO TOOLING
diff --git a/cli/genpolicy/assets/genpolicy-settings.json → ...olicy/assets/genpolicy-settings-kata.json b/cli/genpolicy/assets/genpolicy-settings.json → ...olicy/assets/genpolicy-settings-kata.json
diff --git a/cli/genpolicy/assets/genpolicy-settings-microsoft.json b/cli/genpolicy/assets/genpolicy-settings-microsoft.json
@@ -0,0 +1 @@
+"THIS FILE IS REPLACED DURING BUILD AND ONLY HERE TO SATISFY GO TOOLING"
diff --git a/cli/genpolicy/config.go b/cli/genpolicy/config.go
@@ -10,14 +10,18 @@ import (
 )
 
 var (
-	//go:embed assets/genpolicy
-	genpolicyBin []byte
-	//go:embed assets/genpolicy-settings.json
-	defaultGenpolicySettings []byte
-	//go:embed assets/genpolicy-rules.rego
-	aksCloudHypervisorSNPRules []byte
-	//go:embed assets/allow-all.rego
-	permissiveRules []byte
+	//go:embed assets/genpolicy-microsoft
+	aksGenpolicyBin []byte
+	//go:embed assets/genpolicy-kata
+	kataGenpolicyBin []byte
+	//go:embed assets/genpolicy-settings-microsoft.json
+	aksSettings []byte
+	//go:embed assets/genpolicy-settings-kata.json
+	kataSettings []byte
+	//go:embed assets/genpolicy-rules-microsoft.rego
+	aksRules []byte
+	//go:embed assets/genpolicy-rules-kata.rego
+	kataRules []byte
 )
 
 // Config contains configuration files for genpolicy.
@@ -26,19 +30,26 @@ type Config struct {
 	Rules []byte
 	// Settings is a json config file that holds platform-specific configuration.
 	Settings []byte
+	// Bin is the genpolicy binary.
+	Bin []byte
 }
 
 // NewConfig selects the appropriate genpolicy configuration for the target platform.
 func NewConfig(platform platforms.Platform) *Config {
-	cfg := &Config{
-		Settings: defaultGenpolicySettings,
-	}
 	switch platform {
 	case platforms.AKSCloudHypervisorSNP:
-		cfg.Rules = aksCloudHypervisorSNPRules
+		return &Config{
+			Rules:    aksRules,
+			Settings: aksSettings,
+			Bin:      aksGenpolicyBin,
+		}
+	case platforms.K3sQEMUSNP, platforms.K3sQEMUTDX, platforms.RKE2QEMUTDX:
+		return &Config{
+			Rules:    kataRules,
+			Settings: kataSettings,
+			Bin:      kataGenpolicyBin,
+		}
 	default:
-		// TODO(burgerdev): use real rules for supported platforms.
-		cfg.Rules = permissiveRules
+		return nil
 	}
-	return cfg
 }
diff --git a/cli/genpolicy/genpolicy.go b/cli/genpolicy/genpolicy.go
@@ -28,9 +28,9 @@ type Runner struct {
 }
 
 // New creates a new Runner for the given configuration.
-func New(rulesPath, settingsPath, cachePath string) (*Runner, error) {
+func New(rulesPath, settingsPath, cachePath string, bin []byte) (*Runner, error) {
 	e := embedbin.New()
-	genpolicy, err := e.Install("", genpolicyBin)
+	genpolicy, err := e.Install("", bin)
 	if err != nil {
 		return nil, fmt.Errorf("installing genpolicy: %w", err)
 	}

diff --git a/cli/genpolicy/genpolicy_test.go b/cli/genpolicy/genpolicy_test.go
@@ -48,7 +48,7 @@ func TestRunner(t *testing.T) {
 	logger := slog.Default()
 
 	d := t.TempDir()
-	genpolicyBin = []byte(fmt.Sprintf(scriptTemplate, d))
+	genpolicyBin := []byte(fmt.Sprintf(scriptTemplate, d))
 
 	expectedRulesPath := "/rules.rego"
 	rulesPathFile := filepath.Join(d, "rules_path")
@@ -58,7 +58,7 @@ func TestRunner(t *testing.T) {
 	expectedYAMLPath := filepath.Join(d, "test.yaml")
 	yamlPathFile := filepath.Join(d, "yaml_path")
 
-	r, err := New(expectedRulesPath, expectedSettingsPath, cachePath)
+	r, err := New(expectedRulesPath, expectedSettingsPath, cachePath, genpolicyBin)
 	require.NoError(err)
 
 	require.NoError(r.Run(ctx, expectedYAMLPath, logger))

@@ -2,20 +2,16 @@
 # SPDX-License-Identifier: AGPL-3.0-only
 
 {
-  lib,
   contrast,
+  kata,
   microsoft,
-  genpolicy ? microsoft.genpolicy,
 }:
 
 (contrast.overrideAttrs (
   _finalAttrs: previousAttrs: {
-    prePatch = ''
-      install -D ${lib.getExe genpolicy} cli/genpolicy/assets/genpolicy
-      install -D ${contrast.settings}/genpolicy-settings.json cli/genpolicy/assets/genpolicy-settings.json
-      install -D ${contrast.rules}/genpolicy-rules.rego cli/genpolicy/assets/genpolicy-rules.rego
-      # TODO(burgerdev): cli/genpolicy/assets/allow-all.rego is insecure and deliberately omitted
-      install -D ${contrast.embeddedReferenceValues} internal/manifest/assets/reference-values.json
+    postPatch = ''
+      install -D ${microsoft.genpolicy.settings}/genpolicy-settings.json cli/genpolicy/assets/genpolicy-settings-microsoft.json
+      install -D ${kata.genpolicy.settings}/genpolicy-settings.json cli/genpolicy/assets/genpolicy-settings-kata.json
     '';
 
     ldflags = previousAttrs.ldflags ++ [

@@ -7,7 +7,6 @@
   buildGoTest,
   microsoft,
   kata,
-  genpolicy ? microsoft.genpolicy,
   contrast,
   installShellFiles,
 }:
@@ -20,6 +19,7 @@ let
       proxyVendor
       vendorHash
       prePatch
+      postPatch
       CGO_ENABLED
       ;
     pname = "${contrast.pname}-e2e";
@@ -175,19 +175,24 @@ buildGoModule rec {
   subPackages = packageOutputs ++ [ "internal/kuberesource/resourcegen" ];
 
   prePatch = ''
-    install -D ${lib.getExe genpolicy} cli/genpolicy/assets/genpolicy
-    install -D ${genpolicy.settings-dev}/genpolicy-settings.json cli/genpolicy/assets/genpolicy-settings.json
-    install -D ${genpolicy.rules}/genpolicy-rules.rego cli/genpolicy/assets/genpolicy-rules.rego
-    install -D ${genpolicy.src}/src/kata-opa/allow-all.rego cli/genpolicy/assets/allow-all.rego
+    install -D ${lib.getExe microsoft.genpolicy} cli/genpolicy/assets/genpolicy-microsoft
+    install -D ${lib.getExe kata.genpolicy} cli/genpolicy/assets/genpolicy-kata
+    install -D ${microsoft.genpolicy.rules}/genpolicy-rules.rego cli/genpolicy/assets/genpolicy-rules-microsoft.rego
+    install -D ${kata.genpolicy.rules}/genpolicy-rules.rego cli/genpolicy/assets/genpolicy-rules-kata.rego
     install -D ${embeddedReferenceValues} internal/manifest/assets/reference-values.json
   '';
 
+  # postPatch will be overwritten by the release-cli derivation, prePatch
+  postPatch = ''
+    install -D ${microsoft.genpolicy.settings-dev}/genpolicy-settings.json cli/genpolicy/assets/genpolicy-settings-microsoft.json
+    install -D ${kata.genpolicy.settings-dev}/genpolicy-settings.json cli/genpolicy/assets/genpolicy-settings-kata.json
+  '';
+
   CGO_ENABLED = 0;
   ldflags = [
     "-s"
-    "-w"
     "-X github.com/edgelesssys/contrast/internal/constants.Version=${version}"
-    "-X github.com/edgelesssys/contrast/internal/constants.MicrosoftGenpolicyVersion=${genpolicy.version}"
+    "-X github.com/edgelesssys/contrast/internal/constants.MicrosoftGenpolicyVersion=${microsoft.genpolicy.version}"
     "-X github.com/edgelesssys/contrast/internal/constants.KataGenpolicyVersion=${kata.genpolicy.version}"
   ];
 
@@ -228,7 +233,6 @@ buildGoModule rec {
 
   passthru = {
     inherit e2e embeddedReferenceValues;
-    inherit (genpolicy) settings rules;
   };
 
   meta.mainProgram = "contrast";

@@ -0,0 +1,15 @@
+diff --git a/genpolicy-rules.rego b/genpolicy-rules.rego
+index c3eb334..a796740 100644
+--- a/genpolicy-rules.rego
++++ b/genpolicy-rules.rego
+@@ -164,9 +164,9 @@ allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, s_name) {
+     p_namespace := p_oci.Annotations[s_namespace]
+     i_namespace := i_oci.Annotations[s_namespace]
+     print("allow_by_sandbox_name: p_namespace =", p_namespace, "i_namespace =", i_namespace)
+-    p_namespace == i_namespace
++    regex.match("^[a-z0-9-]{1,63}$", i_namespace)
+
+-    allow_by_container_types(p_oci, i_oci, s_name, p_namespace)
++    allow_by_container_types(p_oci, i_oci, s_name, i_namespace)
+     allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages)
+     allow_process(p_oci, i_oci, s_name)
@@ -0,0 +1,14 @@
+diff --git a/genpolicy-settings.json b/genpolicy-settings.json
+index 4e9f6481d..7d0356b90 100644
+--- a/genpolicy-settings.json
++++ b/genpolicy-settings.json
+@@ -333,7 +333,8 @@
+                 "^AZURE_CLIENT_ID=[A-Fa-f0-9-]*$",
+                 "^AZURE_TENANT_ID=[A-Fa-f0-9-]*$",
+                 "^AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token$",
+-                "^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$"
++                "^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$",
++                "^CONTRAST_[A-Z0-9_]*=.*$"
+             ]
+         },
+         "CopyFileRequest": [
@@ -0,0 +1,31 @@
+diff --git a/genpolicy-settings.json b/genpolicy-settings.json
+index 4e9f6481d..64f16a760 100644
+--- a/genpolicy-settings.json
++++ b/genpolicy-settings.json
+@@ -333,7 +333,8 @@
+                 "^AZURE_CLIENT_ID=[A-Fa-f0-9-]*$",
+                 "^AZURE_TENANT_ID=[A-Fa-f0-9-]*$",
+                 "^AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token$",
+-                "^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$"
++                "^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$",
++                "^CONTRAST_[A-Z0-9_]*=.*$"
+             ]
+         },
+         "CopyFileRequest": [
+@@ -341,11 +342,13 @@
+         ],
+         "ExecProcessRequest": {
+             "allowed_commands": [],
+-            "regex": []
++            "regex": [
++                ".*"
++            ]
+         },
+         "CloseStdinRequest": false,
+-        "ReadStreamRequest": false,
++        "ReadStreamRequest": true,
+         "UpdateEphemeralMountsRequest": false,
+-        "WriteStreamRequest": false
++        "WriteStreamRequest": true
+     }
+ }
@@ -3,7 +3,6 @@
 
 {
   lib,
-  fetchurl,
   kata,
   rustPlatform,
   openssl,
@@ -12,6 +11,8 @@
   libiconv,
   zlib,
   cmake,
+  stdenvNoCC,
+  applyPatches,
 }:
 
 rustPlatform.buildRustPackage rec {
@@ -55,26 +56,59 @@ rustPlatform.buildRustPackage rec {
     # these want internet access, disable them
     "--skip=test_copyfile"
     "--skip=test_create_sandbox"
+    "--skip=test_create_container_guest_pull"
+    "--skip=test_create_container_process"
   ];
 
-  passthru = {
-    settings = fetchurl {
+  passthru = rec {
+    settings-base = stdenvNoCC.mkDerivation {
       name = "${pname}-${version}-settings";
-      url = "https://raw.githubusercontent.com/kata-containers/kata-containers/${version}/src/tools/genpolicy/genpolicy-settings.json";
-      hash = "sha256-kalmW/gWMJIWUNk7IzA0l1saMFu8QYb1DXZ8cU/QSxs=";
-      downloadToTemp = true;
-      recursiveHash = true;
-      postFetch = "install -D $downloadedFile $out/genpolicy-settings.json";
+      inherit src sourceRoot;
+
+      phases = [
+        "unpackPhase"
+        "patchPhase"
+        "installPhase"
+      ];
+      installPhase = ''
+        runHook preInstall
+        install -D genpolicy-settings.json $out/genpolicy-settings.json
+        runHook postInstall
+      '';
     };
 
-    # TODO(freax13): use real rules.
-    rules = fetchurl {
+    settings = settings-base;
+
+    settings-coordinator = applyPatches {
+      src = settings-base;
+      patches = [ ./genpolicy_settings_coordinator.patch ];
+    };
+
+    # Settings that allow exec into CVM pods - not safe for production use!
+    settings-dev = applyPatches {
+      src = settings-base;
+      patches = [ ./genpolicy_settings_dev.patch ];
+    };
+
+    rules = stdenvNoCC.mkDerivation {
       name = "${pname}-${version}-rules";
-      url = "https://raw.githubusercontent.com/kata-containers/kata-containers/${version}/src/kata-opa/allow-all.rego";
-      hash = "sha256-ubjA2RqoNurJphlH4wUNvdOxxtkvLlsaYfWsGYb9NLA=";
-      downloadToTemp = true;
-      recursiveHash = true;
-      postFetch = "install -D $downloadedFile $out/genpolicy-rules.rego";
+      inherit src sourceRoot;
+
+      phases = [
+        "unpackPhase"
+        "patchPhase"
+        "installPhase"
+      ];
+      installPhase = ''
+        runHook preInstall
+        install -D rules.rego $out/genpolicy-rules.rego
+        runHook postInstall
+      '';
+    };
+
+    rules-coordinator = applyPatches {
+      src = rules;
+      patches = [ ./genpolicy_rules_coordinator.patch ];
     };
   };
 

@@ -1,7 +1,7 @@
-From c7462075ed2bca6a56da5f246dbaddf128073eba Mon Sep 17 00:00:00 2001
+From 786d23a72425fb55d1ba043f1a64026abea266e1 Mon Sep 17 00:00:00 2001
 From: Tom Dohrmann <[email protected]>
 Date: Fri, 5 Jul 2024 08:43:13 +0000
-Subject: [PATCH 1/4] govmm: Directly pass the firwmare using -bios with SNP
+Subject: [PATCH 01/12] govmm: Directly pass the firwmare using -bios with SNP
 
 3e158001993cc2356d6ac084e6c82714210c9f24, but for SNP.
 ---
@@ -24,5 +24,5 @@ index 47322c803..6b2b6b02d 100644
  		objectParams = append(objectParams, string(object.Type))
  		objectParams = append(objectParams, fmt.Sprintf("id=%s", object.ID))
 -- 
-2.45.2
+2.46.0
 
@@ -1,7 +1,7 @@
-From 1b310a680a6f8920d353db2baa0e112c4f24d4d7 Mon Sep 17 00:00:00 2001
+From 1831c429d985b5f17a76e0943d345b0f87707100 Mon Sep 17 00:00:00 2001
 From: Tom Dohrmann <[email protected]>
 Date: Mon, 8 Jul 2024 07:35:54 +0000
-Subject: [PATCH 2/4] emulate CPU model that most closely matches the host
+Subject: [PATCH 02/12] emulate CPU model that most closely matches the host
 
 QEMU's CPU model 'host' still doesn't support SNP, but by using the
 correct model, the guest is able to figure out the correct CPU model
@@ -36,5 +36,5 @@ index 1d1be1711..6ebee26ce 100644
  	}
 
 -- 
-2.45.2
+2.46.0
 
@@ -1,7 +1,7 @@
-From 90ac78311def7100de26d543d862c56561526f7f Mon Sep 17 00:00:00 2001
+From 4aa73d29ed5300bb530483e29c03c7cd4cb2f342 Mon Sep 17 00:00:00 2001
 From: Tom Dohrmann <[email protected]>
 Date: Mon, 8 Jul 2024 07:51:20 +0000
-Subject: [PATCH 3/4] runtime: agent: verify the agent policy hash
+Subject: [PATCH 03/12] runtime: agent: verify the agent policy hash
 
 For TEE Guests that support the inclusion of immutable Host owned
 data in their configuration (SNP HostData and TDX MRCONFIGID):
@@ -1287,5 +1287,5 @@ index b58daccaa..af35af12e 100644
  	spec := s.GetPatchedOCISpec()
  	if spec != nil && spec.Process.SelinuxLabel != "" {
 -- 
-2.45.2
+2.46.0
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		# THIS FILE IS REPLACED DURING BUILD AND ONLY HERE TO SATISFY GO TOOLING
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		"THIS FILE IS REPLACED DURING BUILD AND ONLY HERE TO SATISFY GO TOOLING"