genpolicy: Introduce UpdateInterfaceRequest rules in genpolicy-settings

Introduce rules for UpdateInterfaceRequest and genpolicy tests for them.

Signed-off-by: Cameron Baird <[email protected]>

Author: Camelron

src/tools/genpolicy/genpolicy-settings.json

@@ -324,6 +324,24 @@
             ],
             "allow_env_regex_map": {}
         },
+        "UpdateInterfaceRequest": {
+            "interface": {
+                "device": "eth0",
+                "name": "eth0",
+                "IPAddresses": [
+                    {
+                        "family": 0,
+                        "address": "10.244.0.14",
+                        "mask": "24"
+                    },
+                    {
+                        "family": 1,
+                        "address": "fe80::6474:9fff:fe6a:9601",
+                        "mask": "64"
+                    }
+                ]
+            }
+        },
         "CopyFileRequest": [
             "$(sfprefix)"
         ],

src/tools/genpolicy/rules.rego

@@ -38,7 +38,7 @@ default StopTracingRequest := false
 default TtyWinResizeRequest := true
 default UpdateContainerRequest := false
 default UpdateEphemeralMountsRequest := false
-default UpdateInterfaceRequest := true
+default UpdateInterfaceRequest := false
 default UpdateRoutesRequest := true
 default WaitProcessRequest := true
 default WriteStreamRequest := false
@@ -1633,6 +1633,33 @@ ExecProcessRequest {
     print("ExecProcessRequest 3: true")
 }
 
+UpdateInterfaceRequest {
+    print("UpdateInterfaceRequest 1: input =", input)
+
+    i_interface := input.interface
+    p_interface := policy_data.request_defaults.UpdateInterfaceRequest.interface
+
+    print("UpdateInterfaceRequest 1: p_interface.device =", p_interface.device)
+    print("UpdateInterfaceRequest 1: i_interface.device =", i_interface.device)
+
+    i_interface.device == p_interface.device
+
+    print("UpdateInterfaceRequest 1: p_interface.name =", p_interface.name)
+    print("UpdateInterfaceRequest 1: i_interface.name =", i_interface.name)
+
+    i_interface.name == p_interface.name
+
+    print("UpdateInterfaceRequest 1 device check passed")
+
+    print("UpdateInterfaceRequest 1: p_interface.IPAddresses =", p_interface.IPAddresses)
+    every ip in i_interface.IPAddresses {
+        print("UpdateInterfaceRequest 1: i_interface.IPAddresses[x] =", ip)
+        ip in p_interface.IPAddresses
+    }
+
+    print("UpdateInterfaceRequest 1: true")
+}
+
 CloseStdinRequest {
     policy_data.request_defaults.CloseStdinRequest == true
 }

src/tools/genpolicy/src/policy.rs

@@ -327,6 +327,39 @@ pub struct ExecProcessRequestDefaults {
     regex: Vec<String>,
 }
 
+/// IP address struct schema for genpolicy-settings.json.
+#[derive(Clone, Debug, Serialize, Deserialize)]
+pub struct IPAddress {
+    /// IP family; 0 for ipv4 or 1 for ipv6
+    family: u8,
+
+    /// IP address
+    address: String,
+
+    /// IP mask
+    mask: String,
+}
+
+/// Interface struct schema for genpolicy-settings.json.
+#[derive(Clone, Debug, Serialize, Deserialize)]
+pub struct Interface {
+    /// Network device
+    device: String,
+
+    /// Device name
+    name: String,
+
+    /// List of valid IP addresses
+    IPAddresses: Vec<IPAddress>,
+}
+
+/// UpdateInterfaceRequest settings from genpolicy-settings.json.
+#[derive(Clone, Debug, Serialize, Deserialize)]
+pub struct UpdateInterfaceRequestDefaults {
+    /// Example interface configuration
+    interface: Interface,
+}
+
 /// Settings specific to each kata agent endpoint, loaded from
 /// genpolicy-settings.json.
 #[derive(Clone, Debug, Serialize, Deserialize)]
@@ -340,6 +373,9 @@ pub struct RequestDefaults {
     /// Commands allowed to be executed by the Host in all Guest containers.
     pub ExecProcessRequest: ExecProcessRequestDefaults,
 
+    /// Interfaces allowed to be updated to in all Guest sandboxes.
+    pub UpdateInterfaceRequest: UpdateInterfaceRequestDefaults,
+
     /// Allow the Host to close stdin for a container. Typically used with WriteStreamRequest.
     pub CloseStdinRequest: bool,
 

src/tools/genpolicy/tests/main.rs

@@ -9,7 +9,7 @@ use std::path;
 use std::process::Command;
 use std::str;
 
-use protocols::agent::CreateSandboxRequest;
+use protocols::agent::{CreateSandboxRequest, UpdateInterfaceRequest};
 use serde::de::DeserializeOwned;
 use serde::{Deserialize, Serialize};
 
@@ -102,3 +102,8 @@ where
 fn test_create_sandbox() {
     runtests::<CreateSandboxRequest>("createsandbox");
 }
+
+#[test]
+fn test_update_interface() {
+    runtests::<UpdateInterfaceRequest>("updateinterface");
+}

src/tools/genpolicy/tests/testdata/updateinterface/pod.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: dummy
+spec:
+  runtimeClassName: kata-cc-isolation
+  containers:
+  - name: dummy
+    image: registry.k8s.io/pause:3.6@sha256:3d380ca8864549e74af4b29c10f9cb0956236dfb01c40ca076fb6c37253234db

src/tools/genpolicy/tests/testdata/updateinterface/testcases.json

@@ -0,0 +1,58 @@
+[
+  {
+    "description": "standard eth0 interface",
+    "allowed": true,
+    "request": {
+      "interface": {
+          "device": "eth0",
+          "name": "eth0",
+          "IPAddresses": [
+              {"family":0, "address":"10.244.0.14", "mask":"24"},
+              {"family":1, "address":"fe80::6474:9fff:fe6a:9601", "mask":"64"}
+          ],
+          "mtu": 1500,
+          "hwAddr": "66:74:9f:6a:96:01",
+          "pciPath": "",
+          "type_": "",
+          "raw_flags": 0
+      }
+    }
+  },
+  {
+    "description": "loopback interface",
+    "allowed": false,
+    "request": {
+      "interface": {
+          "device": "lo",
+          "name": "lo",
+          "IPAddresses": [
+              {"family":0, "address":"10.244.0.14", "mask":"24"},
+              {"family":1, "address":"fe80::6474:9fff:fe6a:9601", "mask":"64"}
+          ],
+          "mtu": 1500,
+          "hwAddr": "66:74:9f:6a:96:01",
+          "pciPath": "",
+          "type_": "",
+          "raw_flags": 0
+      }
+    }
+  },
+  {
+    "description": "bad ip",
+    "allowed": false,
+    "request": {
+      "interface": {
+          "device": "eth0",
+          "name": "eth0",
+          "IPAddresses": [
+              {"family":0, "address":"127.0.0.1", "mask":"24"}
+          ],
+          "mtu": 1500,
+          "hwAddr": "66:74:9f:6a:96:01",
+          "pciPath": "",
+          "type_": "",
+          "raw_flags": 0
+      }
+    }
+  }
+]