Skip to content

policy: Add missing validation for ExecProcessRequest input fields #337

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 502 commits into from
Closed

policy: Add missing validation for ExecProcessRequest input fields #337

wants to merge 502 commits into from

Conversation

@Ankita13-code
Copy link

@Ankita13-code Ankita13-code commented Mar 27, 2025
edited
Loading

Merge Checklist
  • Followed patch format from upstream recommendation: https://github.com/kata-containers/community/blob/main/CONTRIBUTING.md#patch-format
    • Included a single commit in a given PR - at least unless there are related commits and each makes sense as a change on its own.
  • Aware about the PR to be merged using "create a merge commit" rather than "squash and merge" (or similar)
  • The upstream/missing label (or upstream/not-needed) has been set on the PR.
Summary

This PR introduces validation for additional input fields in ExecProcessRequest. It follows an approach similar to CreateContainerRequest to enforce null values for string_user and disallow selinuxLabel in ExecProcessRequest.
The field ApparmorProfile is disallowed for both ExecProcessRequest and CreateContainerRequest.

Test Methodology

manuelh-dev and others added 30 commits July 12, 2024 16:48
@manuelh-dev
Merge pull request #208 from microsoft/mahuber/incomplete_init
cc23bdb 
samples: introduce incomplete_init category
@manuelh-dev
Merge pull request #206 from microsoft/mahuber/cherry-pick-upstr
e7cb0d1 
Cherry-pick upstream PR kata-containers#9825: osbuilder: allow rootfs builds w/o git or version file deps
tools: Improve igvm-builder and node-builder/azure-linux scripting
2f672a1 
- Support for Mariner 3 builds using OS_VERSION variable
- Improvements to IGVM build process and flow as described in README
- Adoption of using only cloud-hypervisor-cvm on CBL-Mariner

Signed-off-by: Manuel Huber <[email protected]>
@manuelh-dev
Merge pull request #204 from microsoft/mahuber/uvm-spec-build-pr
dd57910 
tools: Improve igvm-builder and node-builder/azure-linux scripting
@miz060
tardev: update tardev-snapshotter.service
e6e6d34 
At the moment, we have circular dependencies between
tardev-snapshotter.service and containerd.service. Specifically,
containerd.service needs tardev-snapshotter.service to run any CC pods,
while tardev-snapshotter.service needs containerd.service to download
image layers. This dependency will be eliminated once we switch to
using remote-snapshotter. Currently, tardev-snapshotter.service's
binding to containerd.service gets delayed, and we won't be able to
run any CC pods until the boot process is completed. It doesn't matter
which service starts first. Based on the current logic, it makes more
sense to use WantedBy=kubelet.service in tardev-snapshotter.service, as
we won't be able to start any CC pods without kubelet. In the future,
once tardev-snapshotter becomes a remote snapshotter again, it will
make more sense to use WantedBy=containerd.service.

Signed-off-by: Mitch Zhu <[email protected]>
@miz060
Merge pull request #209 from microsoft/mitchzhu/tardev-service
1276d40 
tardev: update tardev-snapshotter.service
samples: reduce dependencies to docker hub
16523e2 
Use container image sources from ACR/MCR.

Signed-off-by: Manuel Huber <[email protected]>
@manuelh-dev
Merge pull request #210 from microsoft/tests/img-pull-src
386cab0 
samples: reduce dependencies to docker hub
@danmihai1
agent: fix the AllowRequestsFailingPolicy functionality
51b2fd2 
1. Use the new value of AllowRequestsFailingPolicy after setting up a
   new Policy. Before this change, the only way to enable
   AllowRequestsFailingPolicy was to change the default Policy file,
   built into the Guest rootfs image.

2. Ignore errors returned by regorus while evaluating Policy rules, if
   AllowRequestsFailingPolicy was enabled. For example, trying to
   evaluate the UpdateInterfaceRequest rules using a policy that didn't
   define any UpdateInterfaceRequest rules results in a "not found"
   error from regorus. Allow AllowRequestsFailingPolicy := true to
   bypass that error.

3. Add simple CI test for AllowRequestsFailingPolicy.

These changes are restoring functionality that was broken recently by
commmit 11f78ae.

Signed-off-by: Dan Mihai <[email protected]>
@danmihai1
Merge pull request #212 from microsoft/danmihai1/allow-failing-msft
80f047c 
agent: fix the AllowRequestsFailingPolicy functionality
@sprt
docs: add guide to install new CSI drivers
78e4962 
This adds a public guide on how to install and test the new storage CSI
drivers for AKS confidential pods.

Signed-off-by: Aurélien Bombo <[email protected]>
@sprt
Merge pull request #214 from microsoft/sprt/csi-instructions
4c89a18 
docs: add guide to install new CSI drivers
@Redent0r
genpolicy: add support for cron jobs
39e99dc 
Add support for cron jobs

Signed-off-by: Saul Paredes <[email protected]>
samples: update image references
71db681 
Use up-to-date AzL references

Signed-off-by: Manuel Huber <[email protected]>
@manuelh-dev
Merge pull request #217 from microsoft/tests/img-updates
c323d8a 
samples: update image references
@Redent0r
Merge pull request #218 from microsoft/saulparedes/support_cron_job
910bcd6 
genpolicy: add support for cron jobs
@danmihai1 @Redent0r
genpolicy: reject untested CreateContainer field values
bee89de 
Reject CreateContainerRequest field values that are not tested by
Kata CI and that might impact the confidentiality of CoCo Guests.

This change uses a "better safe than sorry" approach to untested
fields. It is very possible that in the future we'll encounter
reasonable use cases that will either:

- Show that some of these fields are benign and don't have to be
  verified by Policy, or
- Show that Policy should verify legitimate values of these fields

These are the new CreateContainerRequest Policy rules:

    count(input.shared_mounts) == 0
    is_null(input.string_user)

    i_oci := input.OCI
    is_null(i_oci.Hooks)
    is_null(i_oci.Linux.Seccomp)
    is_null(i_oci.Solaris)
    is_null(i_oci.Windows)

    i_linux := i_oci.Linux
    count(i_linux.GIDMappings) == 0
    count(i_linux.MountLabel) == 0
    count(i_linux.Resources.Devices) == 0
    count(i_linux.RootfsPropagation) == 0
    count(i_linux.UIDMappings) == 0
    is_null(i_linux.IntelRdt)
    is_null(i_linux.Resources.BlockIO)
    is_null(i_linux.Resources.Network)
    is_null(i_linux.Resources.Pids)
    is_null(i_linux.Seccomp)
    i_linux.Sysctl == {}

    i_process := i_oci.Process
    count(i_process.SelinuxLabel) == 0
    count(i_process.User.Username) == 0

Signed-off-by: Dan Mihai <[email protected]>
@Redent0r
samples: update annotations
8ad67ac 
Update annotations after reject untested CreateContainer field values

Signed-off-by: Saul Paredes <[email protected]>
@Redent0r
Merge pull request #219 from microsoft/saulparedes/reject_untested
89a658a 
genpolicy: reject untested CreateContainer field values
@Redent0r
samples: update ubuntu sample to use 18.04
32ac40e 
This is a more stable tag. Previous tag got updated yesterday and
requires to update the annotation.

Signed-off-by: Saul Paredes <[email protected]>
@Redent0r
Merge pull request #220 from microsoft/saulparedes/update_ubuntu_sample
f17f994 
samples: update ubuntu sample to use 18.04
@Redent0r
chore: bump release version
24423ed 
Bump release version to 3.2.0-azl1.genpolicy1

Signed-off-by: Saul Paredes <[email protected]>
@Redent0r
Merge pull request #221 from microsoft/saulparedes/bump_release_version
dc2d4de 
chore: bump release version
tools: Add package-tools-install functionality
db1787f 
- Add script to install kata-containers(-cc)-tools bits
- Minor improvements in README.md
- Minor fix in package_install
- Remove echo outputs in package_build

Signed-off-by: Manuel Huber <[email protected]>
@manuelh-dev
Merge pull request #215 from microsoft/mahuber/uvm-tools-pkg
f20dbb9 
tools: Add package-tools-install functionality
tools: Enable setting IGVM SVN
08333aa 
- Allow setting SVN parameter for IGVM build scripting

Signed-off-by: Manuel Huber <[email protected]>
@manuelh-dev
Merge pull request #224 from microsoft/mahuber/igvm-svn
d375a69 
tools: Enable setting IGVM SVN
@sprt
node-builder: introduce BUILD_TYPE variable
52a47b6 
This lets developers build and deploy Kata in debug mode without having to make
manual edits to the build scripts.

With BUILD_TYPE=debug (default is release):

 * The agent is built in debug mode.
 * The agent is built with a permissive policy (using allow-all.rego).
 * The shim debug config file is used, ie. we create the symlink
   configuration-clh-snp-debug.toml <- configuration-clh-snp.toml.

For example, building and deploying Kata-CC in debug mode is now as simple as:

   make BUILD_TYPE=debug all-confpods deploy-confpods

Also do note that make still lets you override the other variables even after
setting BUILD_TYPE. For example, you can use the production shim config with
BUILD_TYPE=debug:

   make BUILD_TYPE=debug SHIM_USE_DEBUG_CONFIG=no all-confpods deploy-confpods

Signed-off-by: Aurélien Bombo <[email protected]>
@sprt
Merge pull request #216 from microsoft/sprt/build-type-var
74cc478 
node-builder: introduce BUILD_TYPE variable
@Redent0r
samples: update samples
7e00f3d 
Update samples that use
image: "mcr.microsoft.com/azurelinux/base/nginx:1.25". Looks like
this image tag was updated in mcr on 8/27/2024.

Signed-off-by: Saul Paredes <[email protected]>
Camelron and others added 9 commits March 14, 2025 17:13
@Camelron
samples: update samples
1e703f8 
Update samples

Signed-off-by: Cameron Baird <[email protected]>
@Redent0r
Merge pull request #333 from microsoft/cameronbaird/backport-network-…
b648d32 
…policy

genpolicy: Introduce UpdateRoutesRequest, UpdateInterfaceRequest rules in genpolicy-settings
@Redent0r
policy: add tests for createContainerRequest
35f8904 
Add test cases for basic and legacy requests to create pause container

Signed-off-by: Saul Paredes <[email protected]>
@Redent0r
Merge pull request #334 from microsoft/saulparedes/add_create_contain…
9cbaf8d 
…er_tests

policy: add tests for createContainerRequest
@Redent0r
policy: validate pod generated name
a175e12 
Validate sandbox name using a regex. If the YAML specifies metadata.name, use a regex that exact matches.
If the YAML specifies metadata.generateName, use a regex that matches the prefix of the generated name.

Signed-off-by: Saul Paredes <[email protected]>
@Redent0r
policy: mark protocols import as a dev dependency
42ecd51 
We only use protocols in the tests, so it should be a dev dependency.

Signed-off-by: Saul Paredes <[email protected]>
@Redent0r
samples: update samples
c481445 
Update samples

Signed-off-by: Saul Paredes <[email protected]>
@Redent0r
Merge pull request #331 from microsoft/saulparedes/validate_generated…
9db7002 
…_name

policy: validate pod generated name
@danmihai1
genpolicy: add support for BUILD_TYPE=debug
5737c1d 
Use "cargo build --release" when BUILD_TYPE was not specified, or when
BUILD_TYPE=release. The default "cargo build" behavior is to build in
debug mode.

Signed-off-by: Dan Mihai <[email protected]>
@Ankita13-code Ankita13-code added the upstream/missing PRs that are yet to be upstreamed label Mar 27, 2025
Redent0r
Redent0r reviewed Mar 27, 2025
View reviewed changes
@Redent0r
Copy link

Redent0r commented Mar 27, 2025

I'd vote to squash these 3 commits into a single one and summarize the fields that are being validated

@Redent0r
Copy link

Redent0r commented Mar 27, 2025

todo: rebase against msft-main once #335 gets merged and add unit tests. If we pass all pipeline tests, I'd say we may move upstream without the unit tests here.

Redent0r
Redent0r reviewed Mar 28, 2025
View reviewed changes
@Ankita13-code Ankita13-code force-pushed the ankitapareek/genpolicy-input-validation branch from f5369d0 to fc3e210 Compare March 28, 2025 08:56
@Ankita13-code
Copy link
Author

Ankita13-code commented Mar 28, 2025

I'd vote to squash these 3 commits into a single one and summarize the fields that are being validated

Done!

@Ankita13-code Ankita13-code changed the title policy: Add validation for ExecProcessRequest input fields policy: Add missing validation for ExecProcessRequest input fields Mar 28, 2025
@danmihai1
Copy link

danmihai1 commented Mar 28, 2025

I'd vote to squash these 3 commits into a single one and summarize the fields that are being validated

@Redent0r @Ankita13-code , please use a separate commit for updating the YAML files.

Redent0r
Redent0r reviewed Mar 28, 2025
View reviewed changes
danmihai1
danmihai1 reviewed Mar 28, 2025
View reviewed changes
src/tools/genpolicy/rules.rego Outdated
# TODO: should other ExecProcessRequest input data fields be validated as well?
ExecProcessRequest {
print("ExecProcessRequest 1: input =", input)
allow_exec_process_input(input)
Copy link

@danmihai1 danmihai1 Mar 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I understand correctly, we can remove the input function parameter, and just use input from the allow_exec_process_input rules.

Copy link
Author

@Ankita13-code Ankita13-code Mar 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@danmihai1, updated the function to remove this parameter

@Ankita13-code
Copy link
Author

Ankita13-code commented Mar 29, 2025

lease use a separate commit for updating the YAML files.

@danmihai1 we already have a separate commit for the samples. Saul was talking about some of the earlier commits that I had for validating each input field.

@Ankita13-code Ankita13-code force-pushed the ankitapareek/genpolicy-input-validation branch from 4994b72 to 7d08ebe Compare March 31, 2025 05:51
@Ankita13-code
policy: Add missing input validations for ExecProcessRequest
0e5a224 
This commit introduces validation for input fields in ExecProcessRequest to
harden the security policy.

The changes include:
- update rules.rego to add null/empty field enforcements for String_user, SelinuxLabel and ApparmorProfile

Signed-off-by: Ankita Pareek <[email protected]>
@Ankita13-code Ankita13-code force-pushed the ankitapareek/genpolicy-input-validation branch from 7d08ebe to 2d2d59a Compare March 31, 2025 06:15
@Ankita13-code
samples: Update samples with the new policy
189e903 
Update policy samples with new rules for ExecProcessRequest in policy

Signed-off-by: Ankita Pareek <[email protected]>
@Ankita13-code Ankita13-code force-pushed the ankitapareek/genpolicy-input-validation branch from 78c6500 to 189e903 Compare April 1, 2025 05:26
@Ankita13-code
Copy link
Author

Ankita13-code commented May 27, 2025

Closing this PR since it was a placeholder and has been already merged upstream.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Redent0r Redent0r Redent0r left review comments

@danmihai1 danmihai1 danmihai1 approved these changes

Assignees

No one assigned

Labels

upstream/missing PRs that are yet to be upstreamed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.