Saulparedes/genpolicy sync [DO NOT MERGE]

src/tools/genpolicy/genpolicy-advanced-command-line-parameters.md

@@ -83,10 +83,10 @@ $ genpolicy -j my-settings.json -y test.yaml
 
 # Use a custom path to `genpolicy` input files
 
-By default, the `genpolicy` input files [`rules.rego`](rules.rego) and [`genpolicy-settings.json`](genpolicy-settings.json) must be present in the current directory - otherwise `genpolicy` returns an error. Users can specify a different path to these two files, using the `-i` command line parameter - e.g.,
+By default, the `genpolicy` input files [`rules.rego`](rules.rego) and [`genpolicy-settings.json`](genpolicy-settings.json) must be present in the current directory - otherwise `genpolicy` returns an error. Users can specify different paths to these two files, using the `-p` and `-j` command line parameters - e.g.,
 
 ```bash
-$ genpolicy -i /tmp -y test.yaml
+$ genpolicy -p /tmp/rules.rego -j /tmp/genpolicy-settings.json -y test.yaml
 ```
 
 # Silently ignore unsupported input `YAML` fields

src/tools/genpolicy/genpolicy-settings.json

@@ -136,6 +136,17 @@
     },
     "volumes": {
         "emptyDir": {
+            "mount_type": "local",
+            "mount_source": "^$(cpath)/$(sandbox-id)/rootfs/local/",
+            "mount_point": "^$(cpath)/$(sandbox-id)/local/",
+            "driver": "local",
+            "source": "local",
+            "fstype": "local",
+            "options": [
+                "mode=0777"
+            ]
+        },
+        "confidential_emptyDir": {
             "mount_type": "local",
             "mount_source": "^$(cpath)/$(sandbox-id)/local/",
             "mount_point": "^$(cpath)/$(sandbox-id)/local/",
@@ -277,7 +288,10 @@
         ]
     },
     "kata_config": {
-        "confidential_guest": true
+        "confidential_guest": false
+    },
+    "cluster_config": {
+        "default_namespace": "default"
     },
     "request_defaults": {
         "CreateContainerRequest": {
@@ -306,6 +320,7 @@
         },
         "ReadStreamRequest": true,
         "UpdateEphemeralMountsRequest": false,
+        "CloseStdinRequest": false,
         "WriteStreamRequest": false
     }
-}
+}

src/tools/genpolicy/rules.rego

@@ -10,22 +10,35 @@ import future.keywords.every
 import input
 
 # Default values, returned by OPA when rules cannot be evaluated to true.
+default AddARPNeighborsRequest := false
+default AddSwapRequest := false
+default CloseStdinRequest := false
 default CopyFileRequest := false
 default CreateContainerRequest := false
 default CreateSandboxRequest := false
 default DestroySandboxRequest := true
 default ExecProcessRequest := false
 default GetOOMEventRequest := true
 default GuestDetailsRequest := true
+default ListInterfacesRequest := false
+default ListRoutesRequest := false
+default MemHotplugByProbeRequest := false
 default OnlineCPUMemRequest := true
-default PullImageRequest := true
+default PauseContainerRequest := false
 default ReadStreamRequest := false
 default RemoveContainerRequest := true
 default RemoveStaleVirtiofsShareMountsRequest := true
+default ReseedRandomDevRequest := false
+default ResumeContainerRequest := false
+default SetGuestDateTimeRequest := false
+default SetPolicyRequest := false
 default SignalProcessRequest := true
 default StartContainerRequest := true
+default StartTracingRequest := false
 default StatsContainerRequest := true
+default StopTracingRequest := false
 default TtyWinResizeRequest := true
+default UpdateContainerRequest := false
 default UpdateEphemeralMountsRequest := false
 default UpdateInterfaceRequest := true
 default UpdateRoutesRequest := true
@@ -540,6 +553,7 @@ allow_env(p_process, i_process, s_name) {
     print("allow_env: i env =", i_process.Env)
 
     every i_var in i_process.Env {
+        print("allow_env: i_var =", i_var)
         allow_var(p_process, i_process, i_var, s_name)
     }
 
@@ -548,56 +562,38 @@ allow_env(p_process, i_process, s_name) {
 
 # Allow input env variables that are present in the policy data too.
 allow_var(p_process, i_process, i_var, s_name) {
-    print("allow_var 1: i_var =", i_var)
-
     some p_var in p_process.Env
     p_var == i_var
-
     print("allow_var 1: true")
 }
 
 # Match input with one of the policy variables, after substituting $(sandbox-name).
 allow_var(p_process, i_process, i_var, s_name) {
-    print("allow_var 2: i_var =", i_var)
-
     some p_var in p_process.Env
     p_var2 := replace(p_var, "$(sandbox-name)", s_name)
-    print("allow_var 2: p_var2 =", p_var2)
 
+    print("allow_var 2: p_var2 =", p_var2)
     p_var2 == i_var
 
     print("allow_var 2: true")
 }
 
 # Allow input env variables that match with a request_defaults regex.
 allow_var(p_process, i_process, i_var, s_name) {
-    print("allow_var 3: start")
-
     some p_regex1 in policy_data.request_defaults.CreateContainerRequest.allow_env_regex
-    print("allow_var 3: p_regex1 =", p_regex1)
-
     p_regex2 := replace(p_regex1, "$(ipv4_a)", policy_data.common.ipv4_a)
-    print("allow_var 3: p_regex2 =", p_regex2)
-
     p_regex3 := replace(p_regex2, "$(ip_p)", policy_data.common.ip_p)
-    print("allow_var 3: p_regex3 =", p_regex3)
-
     p_regex4 := replace(p_regex3, "$(svc_name)", policy_data.common.svc_name)
-    print("allow_var 3: p_regex4 =", p_regex4)
-
     p_regex5 := replace(p_regex4, "$(dns_label)", policy_data.common.dns_label)
-    print("allow_var 3: p_regex5 =", p_regex5)
 
-    print("allow_var 3: i_var =", i_var)
+    print("allow_var 3: p_regex5 =", p_regex5)
     regex.match(p_regex5, i_var)
 
     print("allow_var 3: true")
 }
 
 # Allow fieldRef "fieldPath: status.podIP" values.
 allow_var(p_process, i_process, i_var, s_name) {
-    print("allow_var 4: i_var =", i_var)
-
     name_value := split(i_var, "=")
     count(name_value) == 2
     is_ip(name_value[1])
@@ -610,8 +606,6 @@ allow_var(p_process, i_process, i_var, s_name) {
 
 # Allow common fieldRef variables.
 allow_var(p_process, i_process, i_var, s_name) {
-    print("allow_var 5: i_var =", i_var)
-
     name_value := split(i_var, "=")
     count(name_value) == 2
 
@@ -631,8 +625,6 @@ allow_var(p_process, i_process, i_var, s_name) {
 
 # Allow fieldRef "fieldPath: status.hostIP" values.
 allow_var(p_process, i_process, i_var, s_name) {
-    print("allow_var 6: i_var =", i_var)
-
     name_value := split(i_var, "=")
     count(name_value) == 2
     is_ip(name_value[1])
@@ -645,8 +637,6 @@ allow_var(p_process, i_process, i_var, s_name) {
 
 # Allow resourceFieldRef values (e.g., "limits.cpu").
 allow_var(p_process, i_process, i_var, s_name) {
-    print("allow_var 7: i_var =", i_var)
-
     name_value := split(i_var, "=")
     count(name_value) == 2
 
@@ -727,9 +717,10 @@ allow_root_path(p_oci, i_oci, bundle_id) {
 
 # device mounts
 allow_mount(p_oci, i_mount, bundle_id, sandbox_id) {
-    print("allow_mount: start")
+    print("allow_mount: i_mount =", i_mount)
 
     some p_mount in p_oci.Mounts
+    print("allow_mount: p_mount =", p_mount)
     check_mount(p_mount, i_mount, bundle_id, sandbox_id)
 
     # TODO: are there any other required policy checks for mounts - e.g.,
@@ -739,22 +730,12 @@ allow_mount(p_oci, i_mount, bundle_id, sandbox_id) {
 }
 
 check_mount(p_mount, i_mount, bundle_id, sandbox_id) {
-    print("check_mount 1: p_mount =", p_mount)
-    print("check_mount 1: i_mount =", i_mount)
-
     p_mount == i_mount
-
     print("check_mount 1: true")
 }
 check_mount(p_mount, i_mount, bundle_id, sandbox_id) {
-    print("check_mount 2: i destination =", i_mount.destination, "p destination =", p_mount.destination)
     p_mount.destination == i_mount.destination
-
-    print("check_mount 2: i type =", i_mount.type_, "p type =", p_mount.type_)
     p_mount.type_ == i_mount.type_
-
-    print("check_mount 2: i options =", i_mount.options)
-    print("check_mount 2: p options =", p_mount.options)
     p_mount.options == i_mount.options
 
     mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id)
@@ -763,39 +744,23 @@ check_mount(p_mount, i_mount, bundle_id, sandbox_id) {
 }
 
 mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) {
-    print("mount_source_allows 1: i_mount.source =", i_mount.source)
-
     regex1 := p_mount.source
-    print("mount_source_allows 1: regex1 =", regex1)
-
     regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix)
-    print("mount_source_allows 1: regex2 =", regex2)
-
     regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath)
-    print("mount_source_allows 1: regex3 =", regex3)
-
     regex4 := replace(regex3, "$(bundle-id)", bundle_id)
-    print("mount_source_allows 1: regex4 =", regex4)
 
+    print("mount_source_allows 1: regex4 =", regex4)
     regex.match(regex4, i_mount.source)
 
     print("mount_source_allows 1: true")
 }
 mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) {
-    print("mount_source_allows 2: i_mount.source=", i_mount.source)
-
     regex1 := p_mount.source
-    print("mount_source_allows 2: regex1 =", regex1)
-
     regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix)
-    print("mount_source_allows 2: regex2 =", regex2)
-
     regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath)
-    print("mount_source_allows 2: regex3 =", regex3)
-
     regex4 := replace(regex3, "$(sandbox-id)", sandbox_id)
-    print("mount_source_allows 2: regex4 =", regex4)
 
+    print("mount_source_allows 2: regex4 =", regex4)
     regex.match(regex4, i_mount.source)
 
     print("mount_source_allows 2: true")
@@ -942,7 +907,6 @@ allow_overlay_layer(policy_id, policy_hash, i_option) {
 }
 
 allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) {
-    print("allow_mount_point 1: i_storage.mount_point =", i_storage.mount_point)
     p_storage.fstype == "tar"
 
     startswith(p_storage.mount_point, "$(layer")
@@ -964,7 +928,6 @@ allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) {
     print("allow_mount_point 1: true")
 }
 allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) {
-    print("allow_mount_point 2: i_storage.mount_point =", i_storage.mount_point)
     p_storage.fstype == "fuse3.kata-overlay"
 
     mount1 := replace(p_storage.mount_point, "$(cpath)", policy_data.common.cpath)
@@ -976,7 +939,6 @@ allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) {
     print("allow_mount_point 2: true")
 }
 allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) {
-    print("allow_mount_point 3: i_storage.mount_point =", i_storage.mount_point)
     p_storage.fstype == "local"
 
     mount1 := p_storage.mount_point
@@ -993,7 +955,6 @@ allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) {
     print("allow_mount_point 3: true")
 }
 allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) {
-    print("allow_mount_point 4: i_storage.mount_point =", i_storage.mount_point)
     p_storage.fstype == "bind"
 
     mount1 := p_storage.mount_point
@@ -1010,7 +971,6 @@ allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) {
     print("allow_mount_point 4: true")
 }
 allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) {
-    print("allow_mount_point 5: i_storage.mount_point =", i_storage.mount_point)
     p_storage.fstype == "tmpfs"
 
     mount1 := p_storage.mount_point
@@ -1150,9 +1110,10 @@ ExecProcessRequest {
     print("ExecProcessRequest 1: input =", input)
 
     i_command = concat(" ", input.process.Args)
-    print("ExecProcessRequest 3: i_command =", i_command)
+    print("ExecProcessRequest 1: i_command =", i_command)
 
     some p_command in policy_data.request_defaults.ExecProcessRequest.commands
+    print("ExecProcessRequest 1: p_command =", p_command)
     p_command == i_command
 
     print("ExecProcessRequest 1: true")
@@ -1187,6 +1148,10 @@ ExecProcessRequest {
     print("ExecProcessRequest 3: true")
 }
 
+CloseStdinRequest {
+    policy_data.request_defaults.CloseStdinRequest == true
+}
+
 ReadStreamRequest {
     policy_data.request_defaults.ReadStreamRequest == true
 }

src/tools/genpolicy/src/config_map.rs

@@ -116,10 +116,6 @@ impl yaml::K8sResource for ConfigMap {
         panic!("Unsupported");
     }
 
-    fn get_namespace(&self) -> String {
-        panic!("Unsupported");
-    }
-
     fn get_container_mounts_and_storages(
         &self,
         _policy_mounts: &mut Vec<policy::KataMount>,

src/tools/genpolicy/src/daemon_set.rs

@@ -84,7 +84,7 @@ impl yaml::K8sResource for DaemonSet {
         None
     }
 
-    fn get_namespace(&self) -> String {
+    fn get_namespace(&self) -> Option<String> {
         self.metadata.get_namespace()
     }
 
@@ -111,7 +111,7 @@ impl yaml::K8sResource for DaemonSet {
     }
 
     fn serialize(&mut self, policy: &str) -> String {
-        yaml::add_policy_annotation(&mut self.doc_mapping, "spec.template.metadata", policy);
+        yaml::add_policy_annotation(&mut self.doc_mapping, "spec.template", policy);
         serde_yaml::to_string(&self.doc_mapping).unwrap()
     }
 
@@ -120,7 +120,10 @@ impl yaml::K8sResource for DaemonSet {
     }
 
     fn get_annotations(&self) -> &Option<BTreeMap<String, String>> {
-        &self.spec.template.metadata.annotations
+        if let Some(metadata) = &self.spec.template.metadata {
+            return &metadata.annotations;
+        }
+        &None
     }
 
     fn use_host_network(&self) -> bool {

src/tools/genpolicy/src/deployment.rs

@@ -82,7 +82,7 @@ impl yaml::K8sResource for Deployment {
         None
     }
 
-    fn get_namespace(&self) -> String {
+    fn get_namespace(&self) -> Option<String> {
         self.metadata.get_namespace()
     }
 
@@ -109,7 +109,7 @@ impl yaml::K8sResource for Deployment {
     }
 
     fn serialize(&mut self, policy: &str) -> String {
-        yaml::add_policy_annotation(&mut self.doc_mapping, "spec.template.metadata", policy);
+        yaml::add_policy_annotation(&mut self.doc_mapping, "spec.template", policy);
         serde_yaml::to_string(&self.doc_mapping).unwrap()
     }
 
@@ -118,7 +118,10 @@ impl yaml::K8sResource for Deployment {
     }
 
     fn get_annotations(&self) -> &Option<BTreeMap<String, String>> {
-        &self.spec.template.metadata.annotations
+        if let Some(metadata) = &self.spec.template.metadata {
+            return &metadata.annotations;
+        }
+        &None
     }
 
     fn use_host_network(&self) -> bool {