Skip to content

Commit

Permalink
Copy genpolicy from cc-msft-prototypes
Browse files Browse the repository at this point in the history 
$ git rev-parse cc-msft-prototypes
328e440
$ git checkout cc-msft-prototypes src/tools/genpolicy/
$ git checkout cc-msft-prototypes src/agent/samples/policy/
  • Loading branch information
@sprt
sprt committed Dec 19, 2023
1 parent 891f488 commit e5547b9
Show file tree
Hide file tree
Showing 157 changed files with 32,720 additions and 0 deletions.
38 changes: 38 additions & 0 deletions src/agent/samples/policy/all-allowed/all-allowed.rego
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
package agent_policy

default AddARPNeighborsRequest := true
default AddSwapRequest := true
default CloseStdinRequest := true
default CopyFileRequest := true
default CreateContainerRequest := true
default CreateSandboxRequest := true
default DestroySandboxRequest := true
default ExecProcessRequest = true
default GetMetricsRequest := true
default GetOOMEventRequest := true
default GuestDetailsRequest := true
default ListInterfacesRequest := true
default ListRoutesRequest := true
default MemHotplugByProbeRequest := true
default OnlineCPUMemRequest := true
default PauseContainerRequest := true
default PullImageRequest := true
default ReadStreamRequest := true
default RemoveContainerRequest := true
default RemoveStaleVirtiofsShareMountsRequest := true
default ReseedRandomDevRequest := false
default ResumeContainerRequest := true
default SetGuestDateTimeRequest := true
default SetPolicyRequest := true
default SignalProcessRequest := true
default StartContainerRequest := true
default StartTracingRequest := true
default StatsContainerRequest := true
default StopTracingRequest := true
default TtyWinResizeRequest := true
default UpdateContainerRequest := true
default UpdateEphemeralMountsRequest := true
default UpdateInterfaceRequest := true
default UpdateRoutesRequest := true
default WaitProcessRequest := true
default WriteStreamRequest := true
208 changes: 208 additions & 0 deletions src/agent/samples/policy/outdated/ctr/ctr-busybox-data.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,208 @@
{
"coco_data": {
"policy_containers": [
{
"ociVersion": "1.0.2-dev",
"process": {
"terminal": true,
"user": {
"uid": 0,
"gid": 0,
"additionalGids": [
10
]
},
"args": [
"/bin/sh"
],
"env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"TERM=xterm"
],
"cwd": "/",
"capabilities": {
"bounding": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
],
"effective": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
],
"permitted": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE"
]
},
"rlimits": [
{
"type": "RLIMIT_NOFILE",
"hard": 1024,
"soft": 1024
}
],
"noNewPrivileges": true,
"oomScoreAdj": 0
},
"root": {
"path": "^/run/kata-containers/shared/containers/[a-zA-Z0-9]*/rootfs$",
"readonly": false
},
"mounts": [
{
"destination": "/proc",
"type": "proc",
"source": "proc",
"options": [
"nosuid",
"noexec",
"nodev"
]
},
{
"destination": "/dev",
"type": "tmpfs",
"source": "tmpfs",
"options": [
"nosuid",
"strictatime",
"mode=755",
"size=65536k"
]
},
{
"destination": "/dev/pts",
"type": "devpts",
"source": "devpts",
"options": [
"nosuid",
"noexec",
"newinstance",
"ptmxmode=0666",
"mode=0620",
"gid=5"
]
},
{
"destination": "/dev/shm",
"type": "bind",
"source": "/run/kata-containers/sandbox/shm",
"options": [
"rbind"
]
},
{
"destination": "/dev/mqueue",
"type": "mqueue",
"source": "mqueue",
"options": [
"nosuid",
"noexec",
"nodev"
]
},
{
"destination": "/sys",
"type": "sysfs",
"source": "sysfs",
"options": [
"nosuid",
"noexec",
"nodev",
"ro"
]
},
{
"destination": "/run",
"type": "tmpfs",
"source": "tmpfs",
"options": [
"nosuid",
"strictatime",
"mode=755",
"size=65536k"
]
}
],
"linux": {
"resources": {
"cpu": {
"shares": 1024,
"quota": 0,
"period": 0,
"realtimeRuntime": 0,
"realtimePeriod": 0
}
},
"cgroupsPath": "/default/hello6",
"namespaces": [
{
"type": "ipc"
},
{
"type": "uts"
},
{
"type": "mount"
}
],
"maskedPaths": [
"/proc/acpi",
"/proc/asound",
"/proc/kcore",
"/proc/keys",
"/proc/latency_stats",
"/proc/timer_list",
"/proc/timer_stats",
"/proc/sched_debug",
"/sys/firmware",
"/proc/scsi"
],
"readonlyPaths": [
"/proc/bus",
"/proc/fs",
"/proc/irq",
"/proc/sys",
"/proc/sysrq-trigger"
]
}
}
]
}
}
96 changes: 96 additions & 0 deletions src/agent/samples/policy/outdated/ctr/ctr-busybox.rego
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
package coco_policy

import future.keywords.in
import future.keywords.every

import input
import data.coco_data

######################################################################
# Default values:
#
# - true for requests that are allowed by default.
# - false for requests that have additional policy rules, defined below.
# - Requests that are not listed here get rejected by default.

# More detailed policy rules are below.
default CreateContainerRequest := false

# Requests that are always allowed.
default CreateSandboxRequest := true
default DestroySandboxRequest := true
default GetOOMEventRequest := true
default GuestDetailsRequest := true
default OnlineCPUMemRequest := true
default ReadStreamRequest := true
default RemoveContainerRequest := true
default SignalProcessRequest := true
default StartContainerRequest := true
default StatsContainerRequest := true
default TtyWinResizeRequest := true
default UpdateInterfaceRequest := true
default UpdateRoutesRequest := true
default WaitProcessRequest := true
default WriteStreamRequest := true


# Image service should make is_allowed!() calls.
#
# Might use policy metadata to reject images that were
# not referenced by config.json.
#default PullImageRequest := false


######################################################################
# Could check that "terminal": true.

CreateContainerRequest {
policy_container := coco_data.policy_containers[0]
input_container := input.oci

policy_container.ociVersion == input_container.ociVersion

allow_annotations(policy_container, input_container)

policy_process := policy_container.process
input_process := input_container.process

policy_process.terminal == input_process.terminal
policy_process.user == input_process.user
policy_process.args == input_process.args

# Ignore any policy environment variables that are not
# present in the input.
every env_var in input_process.env {
policy_process.env[_] == env_var
}

policy_process.cwd == input_process.cwd
policy_process.capabilities == input_process.capabilities
policy_process.rlimits == input_process.rlimits
policy_process.noNewPrivileges == input_process.noNewPrivileges
policy_process.oomScoreAdj == input_process.oomScoreAdj

regex.match(policy_container.root.path, input_container.root.path)
policy_container.root.readonly == input_container.root.readonly

policy_container.mounts == input_container.mounts
allow_linux(policy_container, input_container)
}

######################################################################
# No annotations allowed for ctr based containers.

allow_annotations(policy_container, input_container) {
not policy_container.annotations
not input_container.annotations
}

######################################################################
# linux fields

allow_linux(policy_container, input_container) {
policy_container.linux.namespaces == input_container.linux.namespaces
policy_container.linux.maskedPaths == input_container.linux.maskedPaths
policy_container.linux.readonlyPaths == input_container.linux.readonlyPaths
}
4 changes: 4 additions & 0 deletions src/agent/samples/policy/set-policy-allowed/set-policy-allowed-data.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"coco_data": {
}
}
3 changes: 3 additions & 0 deletions src/agent/samples/policy/set-policy-allowed/set-policy-allowed.rego
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
package agent_policy

default SetPolicyRequest := true
Loading

0 comments on commit e5547b9

Please sign in to comment.