policy: Add validation for ApparmorProfile in ExecProcessRequest and CreateContainerRequest

Ankita13-code · Ankita13-code · commit f5369d00619c · 2025-03-27T06:10:10.000+05:30
Add these validations to enforce the runtime default ApparmorProfile settings on the container

Signed-off-by: Ankita Pareek &lt;ankitapareek@microsoft.com&gt;
diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
@@ -314,7 +314,8 @@ allow_create_container_input(req) {
     i_process := i_oci.Process
     count(i_process.SelinuxLabel) == 0
     count(i_process.User.Username) == 0
-
+    count(i_process.ApparmorProfile) == 0
+    
     print("allow_create_container_input: true")
 }
 
@@ -1644,6 +1645,7 @@ allow_exec_process_input(req){
 
     i_process := req.process
     count(i_process.SelinuxLabel) == 0
+    count(i_process.ApparmorProfile) == 0
 
     print("allow_exec_process_input: true")
 }

Original file line number	Diff line number	Diff line change
`@@ -314,7 +314,8 @@ allow_create_container_input(req) {`
`314`	`314`	`i_process := i_oci.Process`
`315`	`315`	`count(i_process.SelinuxLabel) == 0`
`316`	`316`	`count(i_process.User.Username) == 0`
`317`		`-`
	`317`	`+ count(i_process.ApparmorProfile) == 0`
	`318`	`+`
`318`	`319`	`print("allow_create_container_input: true")`
`319`	`320`	`}`
`320`	`321`
`@@ -1644,6 +1645,7 @@ allow_exec_process_input(req){`
`1644`	`1645`
`1645`	`1646`	`i_process := req.process`
`1646`	`1647`	`count(i_process.SelinuxLabel) == 0`
	`1648`	`+ count(i_process.ApparmorProfile) == 0`
`1647`	`1649`
`1648`	`1650`	`print("allow_exec_process_input: true")`
`1649`	`1651`	`}`