From 23fa95656211a5571a9e4215b1c20518602723d7 Mon Sep 17 00:00:00 2001
From: Dan Mihai <dmihai@microsoft.com>
Date: Wed, 18 Dec 2024 00:40:18 +0000
Subject: [PATCH] agent: log policy prints for allow=false

Log into Pod VM's /tmp/policy.txt the policy print output for requests
that get evaluated to false - to help debugging.

This output was already provided for interactive commands - e.g., when
ExecProcessRequest gets rejected for "kubectl exec". However, for non
interactive requests - e.g., ExecProcessRequest for a livenessProbe -
it can be helpful to set AllowRequestsFailingPolicy = true and to
collect the policy prints from the Pod VM log file.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
---
 src/agent/src/policy.rs | 34 ++++++++++++++++++----------------
 1 file changed, 18 insertions(+), 16 deletions(-)

diff --git a/src/agent/src/policy.rs b/src/agent/src/policy.rs
index 497cd5f0c469..6ebd720b9a2c 100644
--- a/src/agent/src/policy.rs
+++ b/src/agent/src/policy.rs
@@ -159,7 +159,7 @@ impl AgentPolicy {
     /// Ask regorus if an API call should be allowed or not.
     async fn allow_request(&mut self, ep: &str, ep_input: &str) -> Result<(bool, String)> {
         debug!(sl!(), "policy check: {ep}");
-        self.log_eval_input(ep, ep_input).await;
+        self.log_request(ep, ep_input).await;
 
         let query = format!("data.agent_policy.{ep}");
         self.engine.set_input_json(ep_input)?;
@@ -174,16 +174,20 @@ impl AgentPolicy {
             }
         };
 
-        if !allow && self.allow_failures {
-            warn!(sl!(), "policy: ignoring error for {ep}");
-            allow = true;
-        }
-
         let prints = match self.engine.take_prints() {
             Ok(p) => p.join(" "),
             Err(e) => format!("Failed to get policy log: {e}"),
         };
 
+        if !allow {
+            self.log_request(ep, &prints).await;
+        }
+
+        if !allow && self.allow_failures {
+            warn!(sl!(), "policy: ignoring error for {ep}");
+            allow = true;
+        }
+
         Ok((allow, prints))
     }
 
@@ -197,24 +201,22 @@ impl AgentPolicy {
         Ok(())
     }
 
-    async fn log_eval_input(&mut self, ep: &str, input: &str) {
+    async fn log_request(&mut self, ep: &str, input: &str) {
         if let Some(log_file) = &mut self.log_file {
             match ep {
-                "StatsContainerRequest" | "ReadStreamRequest" | "SetPolicyRequest" => {
-                    // - StatsContainerRequest and ReadStreamRequest are called
-                    //   relatively often, so we're not logging them, to avoid
-                    //   growing this log file too much.
-                    // - Confidential Containers Policy documents are relatively
-                    //   large, so we're not logging them here, for SetPolicyRequest.
-                    //   The Policy text can be obtained directly from the pod YAML.
+                "StatsContainerRequest"
+                | "ReadStreamRequest"
+                | "SetPolicyRequest"
+                | "AllowRequestsFailingPolicy" => {
+                    // Logging these request types would create too much unnecessary output.
                 }
                 _ => {
                     let log_entry = format!("[\"ep\":\"{ep}\",{input}],\n\n");
 
                     if let Err(e) = log_file.write_all(log_entry.as_bytes()).await {
-                        warn!(sl!(), "policy: log_eval_input: write_all failed: {}", e);
+                        warn!(sl!(), "policy: log_request: write_all failed: {}", e);
                     } else if let Err(e) = log_file.flush().await {
-                        warn!(sl!(), "policy: log_eval_input: flush failed: {}", e);
+                        warn!(sl!(), "policy: log_request: flush failed: {}", e);
                     }
                 }
             }