Skip to content

Commit

Permalink
Merge pull request #1173 from SeanTAllen/switched-policy-json-format
Browse files Browse the repository at this point in the history 
Update json format for security policy
  • Loading branch information
@dcantah
dcantah committed Sep 28, 2021
2 parents 18e2356 + 7931c55 commit 3046e94
Show file tree
Hide file tree
Showing 7 changed files with 463 additions and 304 deletions.
128 changes: 71 additions & 57 deletions internal/tools/securitypolicy/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,70 +34,84 @@ represented in JSON.
```json
{
"allow_all": false,
"num_containers": 2,
"containers": {
"0": {
"num_commands": 2,
"command": {
"0": "rustc",
"1": "--help"
},
"num_env_rules": 6,
"env_rules": {
"0": {
"strategy": "string",
"rule": "PATH=/usr/local/cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
},
"1": {
"strategy": "string",
"rule": "RUSTUP_HOME=/usr/local/rustup"
},
"2": {
"strategy": "string",
"rule": "CARGO_HOME=/usr/local/cargo"
},
"3": {
"strategy": "string",
"rule": "RUST_VERSION=1.52.1"
"length": 2,
"elements": {
"0": {
"command": {
"length": 2,
"elements": {
"0": "rustc",
"1": "--help"
}
},
"4": {
"strategy": "string",
"rule": "TERM=xterm"
"env_rules": {
"length": 6,
"elements": {
"0": {
"strategy": "re2",
"rule": "PREFIX_.+=.+"
},
"1": {
"strategy": "string",
"rule": "PATH=/usr/local/cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
},
"2": {
"strategy": "string",
"rule": "RUSTUP_HOME=/usr/local/rustup"
},
"3": {
"strategy": "string",
"rule": "CARGO_HOME=/usr/local/cargo"
},
"4": {
"strategy": "string",
"rule": "RUST_VERSION=1.52.1"
},
"5": {
"strategy": "string",
"rule": "TERM=xterm"
}
}
},
"5": {
"strategy": "re2",
"rule": "PREFIX_.+=.+"
"layers": {
"length": 6,
"elements": {
"0": "fe84c9d5bfddd07a2624d00333cf13c1a9c941f3a261f13ead44fc6a93bc0e7a",
"1": "4dedae42847c704da891a28c25d32201a1ae440bce2aecccfa8e6f03b97a6a6c",
"2": "41d64cdeb347bf236b4c13b7403b633ff11f1cf94dbc7cf881a44d6da88c5156",
"3": "eb36921e1f82af46dfe248ef8f1b3afb6a5230a64181d960d10237a08cd73c79",
"4": "e769d7487cc314d3ee748a4440805317c19262c7acd2fdbdb0d47d2e4613a15c",
"5": "1b80f120dbd88e4355d6241b519c3e25290215c469516b49dece9cf07175a766"
}
}
},
"num_layers": 6,
"layers": {
"0": "fe84c9d5bfddd07a2624d00333cf13c1a9c941f3a261f13ead44fc6a93bc0e7a",
"1": "4dedae42847c704da891a28c25d32201a1ae440bce2aecccfa8e6f03b97a6a6c",
"2": "41d64cdeb347bf236b4c13b7403b633ff11f1cf94dbc7cf881a44d6da88c5156",
"3": "eb36921e1f82af46dfe248ef8f1b3afb6a5230a64181d960d10237a08cd73c79",
"4": "e769d7487cc314d3ee748a4440805317c19262c7acd2fdbdb0d47d2e4613a15c",
"5": "1b80f120dbd88e4355d6241b519c3e25290215c469516b49dece9cf07175a766"
}
},
"1": {
"num_commands": 1,
"command": {
"0": "/pause"
},
"num_env_rules": 2,
"env_rules": {
"0": {
"strategy": "string",
"rule": "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
"1": {
"command": {
"length": 1,
"elements": {
"0": "/pause"
}
},
"1": {
"strategy": "string",
"rule": "TERM=xterm"
"env_rules": {
"length": 2,
"elements": {
"0": {
"strategy": "string",
"rule": "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
},
"1": {
"strategy": "string",
"rule": "TERM=xterm"
}
}
},
"layers": {
"length": 1,
"elements": {
"0": "16b514057a06ad665f92c02863aca074fd5976c755d26bff16365299169e8415"
}
}
},
"num_layers": 1,
"layers": {
"0": "16b514057a06ad665f92c02863aca074fd5976c755d26bff16365299169e8415"
}
}
}
Expand Down
94 changes: 45 additions & 49 deletions internal/tools/securitypolicy/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ import (
"github.com/BurntSushi/toml"
"github.com/Microsoft/hcsshim/ext4/dmverity"
"github.com/Microsoft/hcsshim/ext4/tar2ext4"
sp "github.com/Microsoft/hcsshim/pkg/securitypolicy"
"github.com/Microsoft/hcsshim/pkg/securitypolicy"
"github.com/google/go-containerregistry/pkg/authn"
"github.com/google/go-containerregistry/pkg/name"
"github.com/google/go-containerregistry/pkg/v1/remote"
Expand Down Expand Up @@ -47,7 +47,7 @@ func main() {
return err
}

policy, err := func() (sp.SecurityPolicy, error) {
policy, err := func() (securitypolicy.SecurityPolicy, error) {
if config.AllowAll {
return createOpenDoorPolicy(), nil
} else {
Expand Down Expand Up @@ -79,8 +79,8 @@ func main() {
}

type EnvironmentVariableRule struct {
Strategy sp.EnvVarRule `toml:"strategy"`
Rule string `toml:"rule"`
Strategy securitypolicy.EnvVarRule `toml:"strategy"`
Rule string `toml:"rule"`
}

type Container struct {
Expand All @@ -100,15 +100,17 @@ type Config struct {
Containers []Container `toml:"container"`
}

func createOpenDoorPolicy() sp.SecurityPolicy {
return sp.SecurityPolicy{
func createOpenDoorPolicy() securitypolicy.SecurityPolicy {
return securitypolicy.SecurityPolicy{
AllowAll: true,
}
}

func createPolicyFromConfig(config Config) (sp.SecurityPolicy, error) {
p := sp.SecurityPolicy{
Containers: map[string]sp.SecurityPolicyContainer{},
func createPolicyFromConfig(config Config) (securitypolicy.SecurityPolicy, error) {
p := securitypolicy.SecurityPolicy{
Containers: securitypolicy.Containers{
Elements: map[string]securitypolicy.Container{},
},
}

// Hardcode the pause container version and command. We still pull it
Expand Down Expand Up @@ -139,11 +141,12 @@ func createPolicyFromConfig(config Config) (sp.SecurityPolicy, error) {

command := convertCommand(configContainer.Command)
envRules := convertEnvironmentVariableRules(configContainer.EnvRules)
container := sp.SecurityPolicyContainer{
NumCommands: len(command),
Command: command,
EnvRules: envRules,
Layers: map[string]string{},
container := securitypolicy.Container{
Command: command,
EnvRules: envRules,
Layers: securitypolicy.Layers{
Elements: map[string]string{},
},
}
ref, err := name.ParseReference(configContainer.Name)
if err != nil {
Expand Down Expand Up @@ -192,48 +195,43 @@ func createPolicyFromConfig(config Config) (sp.SecurityPolicy, error) {
}
hash := dmverity.RootHash(tree)
hashString := fmt.Sprintf("%x", hash)
container.Layers = addLayer(container.Layers, hashString)
addLayer(&container.Layers, hashString)
}

container.NumLayers = len(layers)

// add rules for all known environment variables from the configuration
// these are in addition to "other rules" from the policy definition file
config, err := img.ConfigFile()
if err != nil {
return p, err
}
for _, env := range config.Config.Env {
rule := sp.SecurityPolicyEnvironmentVariableRule{
Strategy: sp.EnvVarRuleString,
rule := securitypolicy.EnvRule{
Strategy: securitypolicy.EnvVarRuleString,
Rule: env,
}

container.EnvRules = addEnvRule(container.EnvRules, rule)
addEnvRule(&container.EnvRules, rule)
}

// cri adds TERM=xterm for all workload containers. we add to all containers
// to prevent any possble erroring
rule := sp.SecurityPolicyEnvironmentVariableRule{
Strategy: sp.EnvVarRuleString,
rule := securitypolicy.EnvRule{
Strategy: securitypolicy.EnvVarRuleString,
Rule: "TERM=xterm",
}

container.EnvRules = addEnvRule(container.EnvRules, rule)
container.NumEnvRules = len(container.EnvRules)
addEnvRule(&container.EnvRules, rule)

p.Containers = addContainer(p.Containers, container)
addContainer(&p.Containers, container)
}

p.NumContainers = len(p.Containers)

return p, nil
}

func validateEnvRules(rules []EnvironmentVariableRule) error {
for _, rule := range rules {
switch rule.Strategy {
case sp.EnvVarRuleRegex:
case securitypolicy.EnvVarRuleRegex:
_, err := regexp.Compile(rule.Rule)
if err != nil {
return err
Expand All @@ -244,51 +242,49 @@ func validateEnvRules(rules []EnvironmentVariableRule) error {
return nil
}

func convertCommand(toml []string) map[string]string {
func convertCommand(toml []string) securitypolicy.CommandArgs {
json := map[string]string{}

for i, arg := range toml {
json[strconv.Itoa(i)] = arg
}

return json
return securitypolicy.CommandArgs{
Elements: json,
}
}

func convertEnvironmentVariableRules(toml []EnvironmentVariableRule) map[string]sp.SecurityPolicyEnvironmentVariableRule {
json := map[string]sp.SecurityPolicyEnvironmentVariableRule{}
func convertEnvironmentVariableRules(toml []EnvironmentVariableRule) securitypolicy.EnvRules {
json := map[string]securitypolicy.EnvRule{}

for i, rule := range toml {
jsonRule := sp.SecurityPolicyEnvironmentVariableRule{
jsonRule := securitypolicy.EnvRule{
Strategy: rule.Strategy,
Rule: rule.Rule,
}

json[strconv.Itoa(i)] = jsonRule
}

return json
return securitypolicy.EnvRules{
Elements: json,
}
}

func addContainer(containers map[string]sp.SecurityPolicyContainer, container sp.SecurityPolicyContainer) map[string]sp.SecurityPolicyContainer {
index := strconv.Itoa(len(containers))
func addContainer(containers *securitypolicy.Containers, container securitypolicy.Container) {
index := strconv.Itoa(len(containers.Elements))

containers[index] = container

return containers
containers.Elements[index] = container
}

func addLayer(layers map[string]string, layer string) map[string]string {
index := strconv.Itoa(len(layers))

layers[index] = layer
func addLayer(layers *securitypolicy.Layers, layer string) {
index := strconv.Itoa(len(layers.Elements))

return layers
layers.Elements[index] = layer
}

func addEnvRule(rules map[string]sp.SecurityPolicyEnvironmentVariableRule, rule sp.SecurityPolicyEnvironmentVariableRule) map[string]sp.SecurityPolicyEnvironmentVariableRule {
index := strconv.Itoa(len(rules))

rules[index] = rule
func addEnvRule(rules *securitypolicy.EnvRules, rule securitypolicy.EnvRule) {
index := strconv.Itoa(len(rules.Elements))

return rules
rules.Elements[index] = rule
}
Loading

0 comments on commit 3046e94

Please sign in to comment.