Merge pull request #149 from microsoft/danmihai/pick-up-upstream

genpolicy: pick up improvements from upstream

.github/workflows/build-kata-static-tarball-amd64.yaml

@@ -33,6 +33,7 @@ jobs:
           - cloud-hypervisor
           - cloud-hypervisor-glibc
           - firecracker
+          - genpolicy
           - kata-ctl
           - kernel
           - kernel-sev

.github/workflows/static-checks.yaml

@@ -49,6 +49,7 @@ jobs:
           - log-parser-rs
           - runk
           - trace-forwarder
+          - genpolicy
         command:
           - "make vendor"
           - "make check"
@@ -78,6 +79,8 @@ jobs:
             install-libseccomp: yes
           - component: runk
             install-libseccomp: yes
+          - component: genpolicy
+            component-path: src/tools/genpolicy
     steps:
       - name: Checkout the code
         uses: actions/checkout@v4

src/tools/genpolicy/Cargo.toml

@@ -1,3 +1,8 @@
+# Copyright (c) 2024 Microsoft Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
 [package]
 name = "genpolicy"
 version = "0.1.0"
@@ -35,7 +40,7 @@ async-trait = "0.1.68"
 docker_credential = "1.2.0"
 flate2 = { version = "1.0.26", features = ["zlib-ng"], default-features = false }
 oci-distribution = { version = "0.10.0" }
-openssl = { version = "0.10.54", features = ["vendored"] }
+openssl = { version = "0.10.54" }
 serde_ignored = "0.1.7"
 serde_json = "1.0.39"
 serde-transcode = "1.1.1"

src/tools/genpolicy/README.md

@@ -18,32 +18,12 @@ The Policy auto-generated by `genpolicy` is typically used for implementing conf
 
 # Building `genpolicy` from source code
 
-## Install build dependencies
+Build in docker container:
 
-Example for Ubuntu 22.04.3:
-
-```bash
-$ sudo apt-get update
-$ sudo apt-get install -y build-essential cmake curl git musl-dev musl-tools
-$ curl --proto '=https' --tlsv1.3 https://sh.rustup.rs -sSf | sh
-$ source "$HOME/.cargo/env"
-$ arch=$(uname -m)
-$ rustup target add "${arch}-unknown-linux-musl"
-```
-
-# Build `genpolicy`
-
-```bash
+```sh
 $ git clone https://github.com/kata-containers/kata-containers.git
-$ cd kata-containers/src/tools/genpolicy
-$ source "$HOME/.cargo/env"
-$ make && make install
-```
-
-If you want to use `LIBC=gnu` instead of the default `LIBC=musl`, change the last step above to:
-
-```bash
-$ LIBC=gnu make && LIBC=gnu make install
+$ cd kata-containers
+$ tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh --build=genpolicy
 ```
 
 # Executing `genpolicy`

src/tools/genpolicy/rules.rego

@@ -1,3 +1,7 @@
+# Copyright (c) 2023 Microsoft Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+#
 package agent_policy
 
 import future.keywords.in
@@ -699,16 +703,17 @@ is_ip_other_byte(component) {
 
 # OCI root.Path
 allow_root_path(p_oci, i_oci, bundle_id) {
+    i_path := i_oci.Root.Path
     p_path1 := p_oci.Root.Path
-    print("allow_root_path: p_path1 =", p_path1)
+    print("allow_root_path: i_path =", i_path, "p_path1 =", p_path1)
 
     p_path2 := replace(p_path1, "$(cpath)", policy_data.common.cpath)
     print("allow_root_path: p_path2 =", p_path2)
 
     p_path3 := replace(p_path2, "$(bundle-id)", bundle_id)
     print("allow_root_path: p_path3 =", p_path3)
 
-    p_path3 == i_oci.Root.Path
+    p_path3 == i_path
 
     print("allow_root_path: true")
 }

src/tools/genpolicy/src/agent.rs

@@ -1,6 +1,6 @@
 use serde::{Deserialize, Serialize};
 
-#[derive(Clone, Debug , Serialize, Deserialize)]
+#[derive(Clone, Debug, Serialize, Deserialize)]
 pub struct Storage {
     pub driver: String,
     pub driver_options: Vec<String>,
@@ -15,4 +15,4 @@ pub struct Storage {
 pub struct SerializedFsGroup {
     pub group_id: u32,
     pub group_change_policy: u32,
-}
+}

src/tools/genpolicy/src/list.rs

@@ -75,13 +75,13 @@ impl yaml::K8sResource for List {
     }
 
     fn serialize(&mut self, policy: &str) -> String {
-        let policies: Vec<&str> = policy.split(":").collect();
+        let policies: Vec<&str> = policy.split(':').collect();
         let len = policies.len();
         assert!(len == self.resources.len());
 
         self.items.clear();
-        for i in 0..len {
-            let yaml = self.resources[i].serialize(policies[i]);
+        for (i, p) in policies.iter().enumerate().take(len) {
+            let yaml = self.resources[i].serialize(p);
             let document = serde_yaml::Deserializer::from_str(&yaml);
             let doc_value = Value::deserialize(document).unwrap();
             self.items.push(doc_value.clone());

src/tools/genpolicy/src/main.rs

@@ -3,8 +3,6 @@
 // SPDX-License-Identifier: Apache-2.0
 //
 
-use clap::Parser;
-use env_logger;
 use log::{debug, info};
 
 mod agent;
@@ -32,88 +30,10 @@ mod verity;
 mod volume;
 mod yaml;
 
-#[derive(Debug, Parser)]
-struct CommandLineOptions {
-    #[clap(
-        short,
-        long,
-        help = "Kubernetes input/output YAML file path. stdin/stdout get used if this option is not specified."
-    )]
-    yaml_file: Option<String>,
-
-    #[clap(
-        short,
-        long,
-        help = "Optional Kubernetes config map YAML input file path"
-    )]
-    config_map_file: Option<String>,
-
-    #[clap(
-        short = 'j',
-        long,
-        default_value_t = String::from("genpolicy-settings.json"),
-        help = "genpolicy settings file name"
-    )]
-    settings_file_name: String,
-
-    #[clap(
-        short,
-        long,
-        default_value_t = String::from("."),
-        help = "Path to the rules.rego and settings input files"
-    )]
-    input_files_path: String,
-
-    #[clap(
-        short,
-        long,
-        help = "Create and use a cache of container image layer contents and dm-verity information (in ./layers_cache/)"
-    )]
-    use_cached_files: bool,
-
-    #[clap(
-        short,
-        long,
-        help = "Print the output Rego policy text to standard output"
-    )]
-    raw_out: bool,
-
-    #[clap(
-        short,
-        long,
-        help = "Print the base64 encoded output Rego policy to standard output"
-    )]
-    base64_out: bool,
-
-    #[clap(
-        short,
-        long,
-        help = "Ignore unsupported input Kubernetes YAML fields. This is not recommeded unless you understand exactly how genpolicy works!"
-    )]
-    silent_unsupported_fields: bool,
-}
-
 #[tokio::main]
 async fn main() {
     env_logger::init();
-
-    let args = CommandLineOptions::parse();
-
-    let mut config_map_files = Vec::new();
-    if let Some(config_map_file) = &args.config_map_file {
-        config_map_files.push(config_map_file.clone());
-    }
-
-    let config = utils::Config::new(
-        args.use_cached_files,
-        args.yaml_file,
-        &args.input_files_path,
-        &args.settings_file_name,
-        &config_map_files,
-        args.silent_unsupported_fields,
-        args.raw_out,
-        args.base64_out,
-    );
+    let config = utils::Config::new();
 
     debug!("Creating policy from yaml, settings, and rules.rego files...");
     let mut policy = policy::AgentPolicy::from_files(&config).await.unwrap();

src/tools/genpolicy/src/mount_and_storage.rs

@@ -32,9 +32,9 @@ pub fn get_policy_mounts(
     };
 
     for s_mount in settings_mounts {
-        if keep_settings_mount(settings, &s_mount, &yaml_container.volumeMounts) {
+        if keep_settings_mount(settings, s_mount, &yaml_container.volumeMounts) {
             let mut mount = s_mount.clone();
-            adjust_termination_path(&mut mount, &yaml_container);
+            adjust_termination_path(&mut mount, yaml_container);
 
             if mount.source.is_empty() && mount.type_.eq("bind") {
                 if let Some(file_name) = Path::new(&mount.destination).file_name() {
@@ -54,12 +54,11 @@ pub fn get_policy_mounts(
                 policy_mount.options = mount.options.iter().map(String::from).collect();
             } else {
                 // Add a new mount.
-                if !is_pause_container {
-                    if s_mount.destination.eq("/etc/hostname")
-                        || s_mount.destination.eq("/etc/resolv.conf")
-                    {
-                        mount.options.push(rootfs_access.to_string());
-                    }
+                if !is_pause_container
+                    && (s_mount.destination.eq("/etc/hostname")
+                        || s_mount.destination.eq("/etc/resolv.conf"))
+                {
+                    mount.options.push(rootfs_access.to_string());
                 }
                 p_mounts.push(mount);
             }
@@ -145,7 +144,7 @@ fn get_empty_dir_mount_and_storage(
             options: settings_empty_dir.options.clone(),
             mount_point: format!("{}{}$", &settings_empty_dir.mount_point, &yaml_mount.name),
             fs_group: None,
-            });
+        });
     }
 
     let source = if yaml_mount.subPathExpr.is_some() {
@@ -255,7 +254,7 @@ fn get_config_map_mount_and_storage(
             options: settings_config_map.options.clone(),
             mount_point: format!("{}{mount_path_str}$", &settings_config_map.mount_point),
             fs_group: None,
-            });
+        });
     }
 
     let file_name = Path::new(&yaml_mount.mountPath).file_name().unwrap();

src/tools/genpolicy/src/no_policy.rs

@@ -49,7 +49,7 @@ impl yaml::K8sResource for NoPolicyResource {
     }
 
     fn generate_policy(&self, _agent_policy: &policy::AgentPolicy) -> String {
-        return "".to_string();
+        "".to_string()
     }
 
     fn serialize(&mut self, _policy: &str) -> String {