genpolicy: tighter symlink source rules

Allow symlink source file path rules typically used for ConfigMaps and/or Secrets and reject other source paths. Signed-off-by: Dan Mihai <[email protected]>
microsoft · Dec 18, 2024 · 879fe80 · 879fe80
1 parent 79fc221
commit 879fe80
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 12 deletions.
diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json
@@ -217,6 +217,8 @@
         "ipv4_a": "((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}",
         "svc_name": "[A-Z0-9_\\.\\-]+",
         "dns_label": "[a-zA-Z0-9_\\.\\-]+",
+        "s_source1": "^..2[0-9]{3}_[0-1][0-9]_[0-3][0-9]_[0-2][0-9]_[0-5][0-9]_[0-5][0-9]\\.[0-9]{1,10}$",
+        "s_source2": "^..data/",
         "default_caps": [
             "CAP_CHOWN",
             "CAP_DAC_OVERRIDE",

diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
@@ -1174,20 +1174,26 @@ check_directory_traversal(i_path) {
     endswith(i_path, "/..") == false
 }
 
-check_symlink_source {
-    # TODO: delete this rule once the symlink_src field gets implemented
-    # by all/most Guest VMs.
-    not input.symlink_src
+check_symlink_source(i_src) {
+    i_src == ""
+    print("check_symlink_source 1: true")
 }
-check_symlink_source {
-    i_src := input.symlink_src
-    print("check_symlink_source: i_src =", i_src)
+check_symlink_source(i_src) {
+    i_src != ""
+    print("check_symlink_source 2: i_src =", i_src)
 
-    i_src != "."
-    i_src != ".."
-
-    startswith(i_src, "/") == false
+    regex.match(policy_data.common.s_source1, i_src)
+
+    print("check_symlink_source 2: true")
+}
+check_symlink_source(i_src) {
+    i_src != ""
+    print("check_symlink_source 3: i_src =", i_src)
+
+    regex.match(policy_data.common.s_source2, i_src)
     check_directory_traversal(i_src)
+
+    print("check_symlink_source 3: true")
 }
 
 allow_sandbox_storages(i_storages) {
@@ -1214,7 +1220,7 @@ allow_sandbox_storage(p_storages, i_storage) {
 CopyFileRequest {
     print("CopyFileRequest: input.path =", input.path)
 
-    check_symlink_source
+    check_symlink_source(input.symlink_src)
     check_directory_traversal(input.path)
 
     some regex1 in policy_data.request_defaults.CopyFileRequest

diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs
@@ -376,6 +376,12 @@ pub struct CommonData {
     // Regex for a DNS label (e.g., host name).
     pub dns_label: String,
 
+    // Regex for symlink source files similar to "..2024_12_18_17_38_13.2593682734".
+    pub s_source1: String,
+
+    // Regex for symlink source files similar to "..data/namespace".
+    pub s_source2: String,
+
     /// Default capabilities for a non-privileged container.
     pub default_caps: Vec<String>,