Skip to content

genpolicy: add support for runAsUser #153

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jan 24, 2024
Merged

genpolicy: add support for runAsUser #153

merged 2 commits into from
Jan 24, 2024

Conversation

@danmihai1
Copy link

@danmihai1 danmihai1 commented Jan 23, 2024

Add policy support for SecurityContext and PodSecurityContext runAsUser.

Also, remove outdated UID rule workaround.

@danmihai1
genpolicy: add support for runAsUser
f16fbd1 
Add policy support for SecurityContext and PodSecurityContext
runAsUser.

Also, remove outdated UID rule workaround.

Fixes: kata-containers#8879

Signed-off-by: Dan Mihai <[email protected]>
@danmihai1
policy: update sample files
3e01311 
Update samples after adding support for runAsUser.

Signed-off-by: Dan Mihai <[email protected]>
@danmihai1 danmihai1 requested review from Redent0r and arc9693 January 23, 2024 05:41
@danmihai1 danmihai1 requested review from a team as code owners January 23, 2024 05:41
sprt
sprt reviewed Jan 23, 2024
View reviewed changes
src/tools/genpolicy/src/pod.rs
process.User.UID = uid.try_into().unwrap();
}
if let Some(allow) = context.allowPrivilegeEscalation {
process.NoNewPrivileges = !allow
Copy link

@sprt sprt Jan 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this compile with the missing semicolon? I'm guessing Rust considers this as a void expression?

Copy link
Author

@danmihai1 danmihai1 Jan 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It does - even the make check below passed.

I would rather change this in a future PR, to avoid re-testing. I agree it looks odd, and it wasn't intentional. I forgot it in there because this code used to look a bit differently:

        process.NoNewPrivileges = if let Some(allow) = context.allowPrivilegeEscalation {
            !allow
        } else {
            // something else that we don't need here
        };

@sprt sprt added the upstream/missing PRs that are yet to be upstreamed label Jan 23, 2024
@danmihai1 danmihai1 merged commit 5799fdf into msft-main Jan 24, 2024
@danmihai1 danmihai1 deleted the danmihai1/run-as-user branch April 26, 2024 22:05
@Redent0r Redent0r mentioned this pull request Jul 1, 2024
Closed
@Redent0r Redent0r added upstream/merged PRs that have been merged upstream and removed upstream/missing PRs that are yet to be upstreamed labels Jul 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sprt sprt sprt approved these changes

@Redent0r Redent0r Awaiting requested review from Redent0r

@arc9693 arc9693 Awaiting requested review from arc9693

Assignees

No one assigned

Labels

upstream/merged PRs that have been merged upstream

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@danmihai1 @sprt @Redent0r