Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Skip setting security policy when it's empty #1099

Merged
merged 1 commit into from
Aug 11, 2021
Merged

Skip setting security policy when it's empty #1099

merged 1 commit into from
Aug 11, 2021

Conversation

anmaxvl
Copy link
Contributor

@anmaxvl anmaxvl commented Aug 10, 2021
edited
Loading

Due to an error ignored when calling to json.Unmarshal the call
to SetSecurityPolicy with an empty or invalid string policy results
in a policy with no Containers and AllowAll set to false. No
container can be run as a result.

Fix the behavior by not sending modification request for SetSecurityPolicy
when policy string is empty (which is the default) and checking the
error result from json.Unmarshal call

Signed-off-by: Maksim An maksiman@microsoft.com

@anmaxvl anmaxvl requested a review from a team as a code owner August 10, 2021 22:27
@anmaxvl
Copy link
Contributor Author

anmaxvl commented Aug 10, 2021

@SeanTAllen fyi

@katiewasnothere
Copy link
Contributor

Is this enough? When I was testing other changes, I got errors from EnforceOverlayMountPolicy and EnforcePmemMountPolicy even when I commented out setting the security policy here.

@anmaxvl anmaxvl force-pushed the skip-empty-policy branch from 136fe1e to 008b8ea Compare August 10, 2021 22:45
@anmaxvl
Copy link
Contributor Author

anmaxvl commented Aug 11, 2021

Is this enough? When I was testing other changes, I got errors from EnforceOverlayMountPolicy and EnforcePmemMountPolicy even when I commented out setting the security policy here.

yeah, this was enough for me.

@SeanTAllen
Copy link
Contributor

Odd. I was able to run without any annotation and no errors without that being needed.

@SeanTAllen
Copy link
Contributor

I've been thinking about how this could have been missed. There must have been a change during review that seemed inconsequential where I didn't end up retesting without the annotation later (definite oversight on my part). I suspect that on the guest side, it was filtering out setting the policy from the default before.

@anmaxvl I personally think the "" check should go inside the SetSecurityPolicy as it would be possible to call it incorrectly in the future and cause an issue. We could also had a check for "that security policy doesnt look right" on the guest side and error out if an empty one.

What's concerning to me is this code in uvm.go:

	// json unmarshall the decoded to a SecurityPolicy
	securityPolicy := &securitypolicy.SecurityPolicy{}
	json.Unmarshal(jsonPolicy, securityPolicy)

	p, err := securitypolicy.NewSecurityPolicyEnforcer(securityPolicy)
	if err != nil {
		return err
	}

So, the Unmarshall... at some point we lost an error check but either way, from this, without an annotation we somehow ended up with security policy that wasn't nil. That's concerning. It shouldn't turn an empty string into a security policy.

Before this change goes in @anmaxvl, we should fix the Unmarshal not checking the error return value and understand if it errors when no annotation was used.

@SeanTAllen
Copy link
Contributor

@anmaxvl I tested the Unmarshall change. It would have caught this issue and given a more helpful error message about not being able to unmarshall the policy. I think it would be reasonable to add that change to this PR. If you think it should be separate, let me know and I'll open a PR for it.

@anmaxvl
Copy link
Contributor Author

anmaxvl commented Aug 11, 2021

@anmaxvl I tested the Unmarshall change. It would have caught this issue and given a more helpful error message about not being able to unmarshall the policy. I think it would be reasonable to add that change to this PR. If you think it should be separate, let me know and I'll open a PR for it.

thanks for looking into it more. It makes sense now, we initialize an empty security policy, ignore the unmarshal error and end up in this state. I'll add the check.

@anmaxvl anmaxvl force-pushed the skip-empty-policy branch from 008b8ea to 8594ddb Compare August 11, 2021 16:16
@anmaxvl
fix: Skip setting security policy when it's empty
84fcbce 
Due to an error ignored when calling to json.Unmarshal the call
to SetSecurityPolicy with an empty or invalid string policy results
in a policy with no Containers and AllowAll set to false. No
container can be run as a result.

Fix the behavior by not sending modification request for SetSecurityPolicy
when policy string is empty (which is the default) and checking the
error result from json.Unmarshal call

Signed-off-by: Maksim An <maksiman@microsoft.com>
@anmaxvl anmaxvl force-pushed the skip-empty-policy branch from 8594ddb to 84fcbce Compare August 11, 2021 16:26
@anmaxvl anmaxvl changed the title skip setting security policy when it's empty Skip setting security policy when it's empty Aug 11, 2021
katiewasnothere
katiewasnothere approved these changes Aug 11, 2021
View reviewed changes
Copy link
Contributor

@katiewasnothere katiewasnothere left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@anmaxvl anmaxvl merged commit 3f1e9b4 into microsoft:master Aug 11, 2021
@anmaxvl anmaxvl deleted the skip-empty-policy branch August 11, 2021 21:34
anmaxvl pushed a commit to anmaxvl/hcsshim that referenced this pull request Nov 17, 2021
@ambarve
Merged PR 4988349: Update ADO to c7c44e1
ec06a48 
Related work items: microsoft#930, microsoft#962, microsoft#1004, microsoft#1008, microsoft#1039, microsoft#1045, microsoft#1046, microsoft#1047, microsoft#1052, microsoft#1053, microsoft#1054, microsoft#1057, microsoft#1058, microsoft#1060, microsoft#1061, microsoft#1063, microsoft#1064, microsoft#1068, microsoft#1069, microsoft#1070, microsoft#1071, microsoft#1074, microsoft#1078, microsoft#1079, microsoft#1081, microsoft#1082, microsoft#1083, microsoft#1084, microsoft#1088, microsoft#1090, microsoft#1091, microsoft#1093, microsoft#1094, microsoft#1096, microsoft#1098, microsoft#1099, microsoft#1102, microsoft#1103, microsoft#1105, microsoft#1106, microsoft#1108, microsoft#1109, microsoft#1115, microsoft#1116, microsoft#1122, microsoft#1123, microsoft#1126
princepereira pushed a commit to princepereira/hcsshim that referenced this pull request Aug 29, 2024
@anmaxvl
Merge pull request microsoft#1099 from anmaxvl/skip-empty-policy
f58b604 
Skip setting security policy when it's empty
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@katiewasnothere katiewasnothere katiewasnothere approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@anmaxvl @katiewasnothere @SeanTAllen