Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve the SetPolicy and CopyFile policy behavior #137

Merged
merged 4 commits into from
Dec 29, 2023
Merged

Improve the SetPolicy and CopyFile policy behavior #137

merged 4 commits into from
Dec 29, 2023

Conversation

danmihai1
Copy link

agent: improve policy handling of CopyFile
genpolicy: block some symlink create requests
agent: Don't release the lock between is_allowed and set_policy calls,

@danmihai1
agent: hold lock while setting new policy
f1595b9 
Don't release the lock between is_allowed and set_policy calls,
because the policy might change in between these calls.

Also, move more policy code into policy.rs.

Fixes: kata-containers#8734

Signed-off-by: Dan Mihai <[email protected]>
@danmihai1
agent: improve policy handling of CopyFile
d3181c8 
1. When creating a symbolic link, the symlink_src field is a string
   representation of the data bytes vector from CopyFileRequest.
   It's easier to verity a string compared with a bytes vector in OPA.

2. When not creating a symbolic link, the data bytes field from
   CopyFileRequest is not present in PolicyCopyFileRequest, because it
   might be large and probably unused by OPA.

Signed-off-by: Dan Mihai <[email protected]>
@danmihai1
genpolicy: block some symlink create requests
2df8216 
Don't allow symlinks pointing outside of the Guest
/run/kata-containers/shared/containers/<...> path.

Signed-off-by: Dan Mihai <[email protected]>
@danmihai1
policy: update samples
07aa085 
Update policy samples after rules.rego change.

Signed-off-by: Dan Mihai <[email protected]>
@danmihai1 danmihai1 merged commit 3083bf9 into msft-main Dec 29, 2023
39 of 50 checks passed
@danmihai1 danmihai1 deleted the danmihai1/copy-file branch December 29, 2023 16:40
@sprt sprt added the upstream/missing PRs that are yet to be upstreamed label Jan 22, 2024
@Redent0r Redent0r added upstream/merged PRs that have been merged upstream and removed upstream/missing PRs that are yet to be upstreamed labels Sep 3, 2024
@Redent0r Redent0r added upstream/missing PRs that are yet to be upstreamed and removed upstream/merged PRs that have been merged upstream labels Jan 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Redent0r Redent0r Awaiting requested review from Redent0r

@christopherco christopherco Awaiting requested review from christopherco

@sprt sprt Awaiting requested review from sprt

@Sumynwa Sumynwa Awaiting requested review from Sumynwa

Assignees
No one assigned
Labels
upstream/missing PRs that are yet to be upstreamed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@danmihai1 @sprt @Redent0r