microsoft · miz060 · Apr 17, 2024 · Apr 15, 2024 · Apr 17, 2024 · Apr 8, 2024
@@ -0,0 +1,5 @@
+# By default, all files require review by members of these teams
+* @microsoft/kata-cc-devs @microsoft/kata-cc-admins
+
+# Modifications to this file require admin approval
+/.github/CODEOWNERS @microsoft/kata-cc-admins
@@ -0,0 +1,11 @@
+###### Merge Checklist  <!-- REQUIRED -->
+- [ ] Followed patch format from upstream recommendation: https://github.com/kata-containers/community/blob/main/CONTRIBUTING.md#patch-format
+  - [ ] Included a single commit in a given PR - at least unless there are related commits and each makes sense as a change on its own.
+- [ ] Aware about the PR to be merged using "create a merge commit" rather than "squash and merge" (or similar)
+- [ ] The `upstream/missing` label (or `upstream/not-needed`) has been set on the PR. 
+
+###### Summary <!-- REQUIRED -->
+<!-- Quick explanation of WHAT changed and WHY. -->
+
+###### Test Methodology
+<!-- How was this test validated? i.e. local build, pipeline build etc. -->
@@ -0,0 +1,128 @@
+name: Release Binary Hardening checks
+
+on:
+  pull_request:
+    branches:
+      - msft-main
+
+jobs:
+  binskim:
+    name: Run BinSkim on Compiled Binaries
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+
+      - name: Install Dependencies
+        run: |
+          echo "Installing dependencies..."
+          sudo apt-get update
+          sudo apt-get install -y git golang rustc cargo build-essential protobuf-compiler libprotobuf-dev expect libssl-dev clang libseccomp-dev btrfs-progs libdevmapper-dev cmake libfuse-dev
+          sudo add-apt-repository ppa:dotnet/backports
+          sudo apt-get install -y dotnet-sdk-9.0 aspnetcore-runtime-9.0 dotnet-runtime-9.0 zlib1g
+
+      - name: Set up BinSkim
+        run: |
+          dotnet new console -n TempConsoleApp
+          cd TempConsoleApp
+          echo "Installing BinSkim version 1.9.5"
+          dotnet add package Microsoft.CodeAnalysis.BinSkim --version 1.9.5
+          ls ~/.nuget/packages/microsoft.codeanalysis.binskim/
+          sudo mv ~/.nuget/packages/microsoft.codeanalysis.binskim/ $GITHUB_WORKSPACE
+          sudo ln -sf "$GITHUB_WORKSPACE/microsoft.codeanalysis.binskim/1.9.5/tools/netcoreapp3.1/linux-x64/BinSkim" /usr/local/bin/binskim
+
+
+      - name: Build kata/kata-cc artifacts
+        run: |
+          echo "Building kata pod sandboxing binaries"
+          pushd tools/osbuilder/node-builder/azure-linux
+          # Adapt build script for ubuntu environment
+          sed -i 's|^OS_VERSION=.*|OS_VERSION="3.0"|' common.sh
+          make package
+          popd
+
+          # Prepare go binaries for binskim
+          pushd src/runtime
+          strip --strip-unneeded containerd-shim-kata-v2
+          popd
+
+          mkdir -p artifacts/vanilla artifacts/confpods
+          KATA_AGENT_PATH=$(find src/agent/ -type f -name "kata-agent" | head -n 1)
+          KATA_SHIM_PATH=$(find src/runtime/ -type f -name "containerd-shim-kata-v2" | head -n 1)
+
+          echo "agent: ${KATA_AGENT_PATH}"
+          echo "shim: ${KATA_SHIM_PATH}"
+
+          # Move kata pod sandboxing binaries to artifacts/vanilla
+          mv "${KATA_AGENT_PATH}" "${KATA_SHIM_PATH}" artifacts/vanilla/
+
+          echo "Building kata confpod binaries"
+          pushd tools/osbuilder/node-builder/azure-linux
+          make clean
+          make package-confpods
+          popd
+
+          TARDEV_SNAPSHOTTER_PATH=$(find src/tardev-snapshotter/ -type f -name "tardev-snapshotter" | head -n 1)
+          OVERLAY_PATH=$(find src/overlay/ -type f -name "kata-overlay" | head -n 1)
+          echo "tardev: ${TARDEV_SNAPSHOTTER_PATH}"
+          echo "overlay: ${OVERLAY_PATH}"
+
+          # Prepare go binaries for binskim
+          pushd src/runtime
+          strip --strip-unneeded containerd-shim-kata-v2
+          popd
+
+          # Move kata confpod binaries to artifacts/confpods
+          mv "${KATA_AGENT_PATH}" "${KATA_SHIM_PATH}" "${TARDEV_SNAPSHOTTER_PATH}" "${OVERLAY_PATH}" artifacts/confpods/
+
+      - name: Run BinSkim on kata pod sandboxing binaries
+        run: |
+          for binary in artifacts/vanilla/*; do
+            echo "Running BinSkim on $binary"
+            binskim analyze "$binary" --level Error --kind "Pass;Fail" > "${binary}_binskim_result"
+          done
+
+      - name: Run BinSkim on kata confpod binaries
+        run: |
+          for binary in artifacts/confpods/*; do
+            echo "Running BinSkim on $binary"
+            binskim analyze "$binary" --level Error --kind "Pass;Fail" > "${binary}_binskim_result"
+          done
+
+      - name: Validate BinSkim results
+        run: |
+          # Validate pod sandboxing binaries
+          for result in artifacts/vanilla/*_binskim_result; do
+            if [ ! -f "$result" ]; then
+              echo "❌ Error: $result was not generated."
+              exit 1
+            fi
+            echo "Validating: pod sandboxing ${result}" 
+            cat "$result"
+
+            if grep -qi "fail" "$result"; then
+              echo "❌ Error: Failures detected in pod sandboxing binary: $result"
+              exit 1
+            fi
+            echo "--------------------------- End-------------------------"
+          done
+          echo "✅ All pod sandboxing binaries passed BinSkim."
+
+          # Validate confpod binaries
+          for result in artifacts/confpods/*_binskim_result; do
+            if [ ! -f "$result" ]; then
+              echo "❌ Error: $result was not generated."
+              exit 1
+            fi
+            echo "Validating: conf pod ${result}" 
+            cat "$result"
+
+            if grep -qi "fail" "$result"; then
+              echo "❌ Error: Failures detected in Confidential Pod binary: $result"
+              exit 1
+            fi
+            echo "--------------------------- End-------------------------"
+          done
+          echo "✅ All confpod binaries passed BinSkim."
+
@@ -33,6 +33,7 @@ jobs:
           - cloud-hypervisor
           - cloud-hypervisor-glibc
           - firecracker
+          - genpolicy
           - kata-ctl
           - kernel
           - kernel-sev

@@ -0,0 +1,49 @@
+# Copyright (c) Microsoft Corporation.
+
+name: Check policy samples
+
+on:
+  pull_request:
+
+jobs:
+  check-policy-samples:
+    runs-on: ubuntu-latest
+
+    steps:
+
+    - name: Check out code
+      uses: actions/checkout@v4
+
+    - name: Install yq
+      env:
+        INSTALL_IN_GOPATH: false
+      run: |
+        ./ci/install_yq.sh
+
+    - name: Install Rust
+      run: |
+        ./tests/install_rust.sh
+        echo "${HOME}/.cargo/bin" >> $GITHUB_PATH
+
+    - name: Install protobuf-compiler
+      run: |
+        sudo apt-get -y install protobuf-compiler
+
+    - name: Configure containerd
+      run: |
+        sudo containerd config default | sudo dd of=/etc/containerd/config.toml
+        sudo systemctl restart containerd
+        sudo systemctl is-active containerd
+
+    - name: Update policy samples
+      working-directory: ./src/tools/genpolicy
+      run: |
+        python3 update_policy_samples.py
+
+    - name: Show diff
+      run: |
+        git diff
+
+    - name: Check policy samples
+      run: |
+        git diff-files --exit-code
@@ -0,0 +1,55 @@
+name: Release Static Checks
+
+on:
+  pull_request:
+    branches:
+      - msft-main
+
+jobs:
+  clippy:
+    name: Run Clippy on Rust Components
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+
+      - name: Install Dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y libdevmapper-dev clang llvm
+
+      - name: Install Rust Toolchain
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          components: clippy
+
+      - name: Run Clippy on agent
+        working-directory: src/agent
+        run: |
+          echo "Running Clippy on kata agent..."
+          if ! cargo clippy -- -D warnings; then
+            echo "❌ Clippy check failed for kata agent."
+            exit 1
+          fi
+          echo "✅ Clippy check passed for kata agent."
+
+      - name: Run Clippy on overlay
+        working-directory: src/overlay
+        run: |
+          echo "Running Clippy on kata overlay..."
+          if ! cargo clippy -- -D warnings; then
+            echo "❌ Clippy check failed for kata overlay."
+            exit 1
+          fi
+          echo "✅ Clippy check passed for kata overlay."
+
+      - name: Run Clippy on tardev-snapshotter
+        working-directory: src/tardev-snapshotter
+        run: |
+          echo "Running Clippy on tardev-snapshotter..."
+          if ! cargo clippy -- -D warnings; then
+            echo "❌ Clippy check failed for tardev-snapshotter."
+            exit 1
+          fi
+          echo "✅ Clippy check passed for tardev-snapshotter."
@@ -86,17 +86,6 @@ jobs:
         error: 'Body line too long (max 150)'
         post_error: ${{ env.error_msg }}
 
-    - name: Check Fixes
-      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && ( success() || failure() ) }}
-      uses: tim-actions/[email protected]
-      with:
-        commits: ${{ steps.get-pr-commits.outputs.commits }}
-        pattern: '\s*Fixes\s*:?\s*(#\d+|github\.com\/kata-containers\/[a-z-.]*#\d+)|^\s*release\s*:'
-        flags: 'i'
-        error: 'No "Fixes" found'
-        post_error: ${{ env.error_msg }}
-        one_pass_all_pass: 'true'
-
     - name: Check Subsystem
       if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && ( success() || failure() ) }}
       uses: tim-actions/[email protected]

@@ -62,11 +62,10 @@ jobs:
             grep -v "^\#"  |\
             cut -d';' -f3 || true)
 
-          # PR doesn't have any linked issues
-          # (it should, but maybe a new user forgot to add a "Fixes: #XXX" commit).
+          # PR doesn't have any linked issues, handle it only if it exists
           [ -z "$linked_issue_urls" ] && {
-            echo "::error::No linked issues for PR $pr"
-            exit 1
+            echo "::warning::No linked issues for PR $pr"
+            exit 0
           }
 
           project_name="Issue backlog"

@@ -0,0 +1,37 @@
+name: Release Static Checks
+
+on:
+  pull_request:
+    branches:
+      - msft-main
+
+jobs:
+  nancy:
+    name: Run Nancy on Go Dependencies
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: stable  # Use latest stable Go version
+
+      - name: Install Nancy via Go
+        run: |
+          echo "Installing Nancy..."
+          go install github.com/sonatype-nexus-community/nancy@latest
+          echo "$HOME/go/bin" >> $GITHUB_PATH
+
+      - name: Verify Nancy Installation
+        run: |
+          echo "Checking Nancy installation..."
+          nancy --help || echo "Nancy installed successfully!"
+
-      - name: Verify Nancy Installation
-        run: |
-          echo "Checking Nancy installation..."
-          nancy --help || echo "Nancy installed successfully!"
-      - name: Verify Nancy Installation
-        run: |
-          echo "Checking Nancy installation..."
-          nancy --help || echo "Nancy installed successfully!"
+      - name: Run Nancy on `src/runtime`
+        working-directory: src/runtime
+        run: |
+          echo "Running Nancy vulnerability scan on Go dependencies..."
+          go list -m all | nancy sleuth
@@ -49,6 +49,7 @@ jobs:
           - log-parser-rs
           - runk
           - trace-forwarder
+          - genpolicy
         command:
           - "make vendor"
           - "make check"
@@ -78,6 +79,8 @@ jobs:
             install-libseccomp: yes
           - component: runk
             install-libseccomp: yes
+          - component: genpolicy
+            component-path: src/tools/genpolicy
     steps:
       - name: Checkout the code
         uses: actions/checkout@v4
@@ -98,9 +101,15 @@ jobs:
         run: |
           ./tests/install_rust.sh
           echo "${HOME}/.cargo/bin" >> $GITHUB_PATH
+      - name: Install protobuf-compiler
+        if: ${{ matrix.command == 'make check' && matrix.component == 'genpolicy' }}
+        run: sudo apt-get -y install protobuf-compiler
       - name: Install musl-tools
         if: ${{ matrix.component != 'runtime' }}
         run: sudo apt-get -y install musl-tools
+      - name: Install devicemapper
+        if: ${{ (matrix.command == 'make check' || matrix.command == 'make test') && matrix.component == 'agent' }}
+        run: sudo apt-get -y install libdevmapper-dev
       - name: Install libseccomp
         if: ${{ matrix.command != 'make vendor'  &&  matrix.command != 'make check' &&  matrix.install-libseccomp == 'yes' }}
         run: |

@@ -15,3 +15,24 @@ src/agent/protocols/src/*.rs
 !src/agent/protocols/src/lib.rs
 build
 src/tools/log-parser/kata-log-parser
+
+# Microsoft-specific
+.cargo/
+vendor/
+src/agent/samples/policy/test-input/
+src/tarfs/**/*.cmd
+src/tarfs/**/*.ko
+src/tarfs/**/*.mod
+src/tarfs/**/*.mod.c
+src/tarfs/**/*.o
+src/tarfs/**/modules.order
+src/tarfs/**/Module.symvers
+src/tarfs-cvm/
+tools/osbuilder/kata-containers-igvm.img
+tools/osbuilder/kata-containers-igvm-debug.img
+tools/osbuilder/igvm-debug-measurement.cose
+tools/osbuilder/igvm-measurement.cose
+tools/osbuilder/root_hash.txt
+tools/osbuilder/igvm.log
+tools/osbuilder/kata-opa.service
+tools/osbuilder/rootfs-builder/opa/