Working directory enforcement (#1305)

* Add current working directory enforcement.

The working directory can be set as part of container image
by WORKINGDIR Dockerfile directive or could be explicitly
set inside CRI container config. Changing the CWD of container
can change the expected behavior of a container.

If the working_dir config is not present or empty inside the
policy config, this information will be gathered from container
image spec.

Add logic to enforce CWD enforcement inside GCS and extend
policy dev tool and policy structure to support this scenario.
The enforcement is an exact string match between what's in the
policy and what's in the generated container spec. If the paths
don't match, the container will fail to start.

* Minor refactor of securitypolicy_test

Add a utility funcion that picks a random container from an array
and generates a valid/invalid overlay for that container. Refactor
tests to use the new utility function.

* Add unit tests for enforcing working directory

Signed-off-by: Maksim An <maksiman@microsoft.com>

internal/guest/runtime/hcsv2/uvm.go

@@ -154,7 +154,12 @@ func (h *Host) CreateContainer(ctx context.Context, id string, settings *prot.VM
 		return nil, gcserr.NewHresultError(gcserr.HrVmcomputeSystemAlreadyExists)
 	}
 
-	err = h.securityPolicyEnforcer.EnforceCreateContainerPolicy(id, settings.OCISpecification.Process.Args, settings.OCISpecification.Process.Env)
+	err = h.securityPolicyEnforcer.EnforceCreateContainerPolicy(
+		id,
+		settings.OCISpecification.Process.Args,
+		settings.OCISpecification.Process.Env,
+		settings.OCISpecification.Process.Cwd,
+	)
 
 	if err != nil {
 		return nil, errors.Wrapf(err, "container creation denied due to policy")

internal/guest/storage/test/policy/mountmonitoringsecuritypolicyenforcer.go

@@ -29,6 +29,6 @@ func (p *MountMonitoringSecurityPolicyEnforcer) EnforceOverlayMountPolicy(contai
 	return nil
 }
 
-func (p *MountMonitoringSecurityPolicyEnforcer) EnforceCreateContainerPolicy(containerID string, argList []string, envList []string) (err error) {
+func (p *MountMonitoringSecurityPolicyEnforcer) EnforceCreateContainerPolicy(_ string, _ []string, _ []string, _ string) (err error) {
 	return nil
 }

internal/tools/securitypolicy/main.go

@@ -80,6 +80,7 @@ func createPolicyFromConfig(config *securitypolicy.PolicyConfig) (*securitypolic
 		[]string{"/pause"},
 		[]securitypolicy.EnvRule{},
 		securitypolicy.AuthConfig{},
+		"",
 	)
 	config.Containers = append(config.Containers, pause)
 
@@ -147,7 +148,14 @@ func createPolicyFromConfig(config *securitypolicy.PolicyConfig) (*securitypolic
 		}
 		envRules = append(envRules, rule)
 
-		container, err := securitypolicy.NewContainer(containerConfig.Command, layerHashes, envRules)
+		workingDir := "/"
+		if imgConfig.Config.WorkingDir != "" {
+			workingDir = imgConfig.Config.WorkingDir
+		}
+		if containerConfig.WorkingDir != "" {
+			workingDir = containerConfig.WorkingDir
+		}
+		container, err := securitypolicy.NewContainer(containerConfig.Command, layerHashes, envRules, workingDir)
 		if err != nil {
 			return nil, err
 		}

pkg/securitypolicy/securitypolicy.go

@@ -38,19 +38,27 @@ type EnvRuleConfig struct {
 // ContainerConfig contains toml or JSON config for container described
 // in security policy.
 type ContainerConfig struct {
-	ImageName string     `json:"image_name" toml:"image_name"`
-	Command   []string   `json:"command" toml:"command"`
-	Auth      AuthConfig `json:"auth" toml:"auth"`
-	EnvRules  []EnvRule  `json:"env_rules" toml:"env_rule"`
+	ImageName  string     `json:"image_name" toml:"image_name"`
+	Command    []string   `json:"command" toml:"command"`
+	Auth       AuthConfig `json:"auth" toml:"auth"`
+	EnvRules   []EnvRule  `json:"env_rules" toml:"env_rule"`
+	WorkingDir string     `json:"working_dir" toml:"working_dir"`
 }
 
 // NewContainerConfig creates a new ContainerConfig from the given values.
-func NewContainerConfig(imageName string, command []string, envRules []EnvRule, auth AuthConfig) ContainerConfig {
+func NewContainerConfig(
+	imageName string,
+	command []string,
+	envRules []EnvRule,
+	auth AuthConfig,
+	workingDir string,
+) ContainerConfig {
 	return ContainerConfig{
-		ImageName: imageName,
-		Command:   command,
-		EnvRules:  envRules,
-		Auth:      auth,
+		ImageName:  imageName,
+		Command:    command,
+		EnvRules:   envRules,
+		Auth:       auth,
+		WorkingDir: workingDir,
 	}
 }
 
@@ -72,6 +80,9 @@ type securityPolicyContainer struct {
 	// order that the layers are overlayed is important and needs to be enforced
 	// as part of policy.
 	Layers []string `json:"layers"`
+	// WorkingDir is a path to container's working directory, which all the processes
+	// will default to.
+	WorkingDir string `json:"working_dir"`
 }
 
 // SecurityPolicyState is a structure that holds user supplied policy to enforce
@@ -141,9 +152,10 @@ type Containers struct {
 }
 
 type Container struct {
-	Command  CommandArgs `json:"command"`
-	EnvRules EnvRules    `json:"env_rules"`
-	Layers   Layers      `json:"layers"`
+	Command    CommandArgs `json:"command"`
+	EnvRules   EnvRules    `json:"env_rules"`
+	Layers     Layers      `json:"layers"`
+	WorkingDir string      `json:"working_dir"`
 }
 
 type Layers struct {
@@ -170,14 +182,15 @@ type EnvRule struct {
 
 // NewContainer creates a new Container instance from the provided values
 // or an error if envRules validation fails.
-func NewContainer(command, layers []string, envRules []EnvRule) (*Container, error) {
+func NewContainer(command, layers []string, envRules []EnvRule, workingDir string) (*Container, error) {
 	if err := validateEnvRules(envRules); err != nil {
 		return nil, err
 	}
 	return &Container{
-		Command:  newCommandArgs(command),
-		Layers:   newLayers(layers),
-		EnvRules: newEnvRules(envRules),
+		Command:    newCommandArgs(command),
+		Layers:     newLayers(layers),
+		EnvRules:   newEnvRules(envRules),
+		WorkingDir: workingDir,
 	}, nil
 }