microsoft · anmaxvl · Jan 14, 2022
@@ -51,7 +51,7 @@ type Host struct {
 
 	// state required for the security policy enforcement
 	policyMutex               sync.Mutex
-	securityPolicyEnforcer    securitypolicy.SecurityPolicyEnforcer
+	securityPolicyEnforcer    securitypolicy.PolicyEnforcer
 	securityPolicyEnforcerSet bool
 }
 
@@ -62,7 +62,7 @@ func NewHost(rtime runtime.Runtime, vsock transport.Transport) *Host {
 		rtime:                     rtime,
 		vsock:                     vsock,
 		securityPolicyEnforcerSet: false,
-		securityPolicyEnforcer:    &securitypolicy.OpenDoorSecurityPolicyEnforcer{},
+		securityPolicyEnforcer:    &securitypolicy.OpenDoorEnforcer{},
 	}
 }
 
@@ -217,7 +217,7 @@ func (h *Host) CreateContainer(ctx context.Context, id string, settings *prot.VM
 	// security policy variable cannot be included in the security policy as its value is not available
 	// security policy construction time.
 
-	if policyEnforcer, ok := (h.securityPolicyEnforcer).(*securitypolicy.StandardSecurityPolicyEnforcer); ok {
+	if policyEnforcer, ok := (h.securityPolicyEnforcer).(*securitypolicy.StandardEnforcer); ok {
 		secPolicyEnv := fmt.Sprintf("SECURITY_POLICY=%s", policyEnforcer.EncodedSecurityPolicy)
 		settings.OCISpecification.Process.Env = append(settings.OCISpecification.Process.Env, secPolicyEnv)
 	}
@@ -440,7 +440,7 @@ func newInvalidRequestTypeError(rt prot.ModifyRequestType) error {
 	return errors.Errorf("the RequestType \"%s\" is not supported", rt)
 }
 
-func modifyMappedVirtualDisk(ctx context.Context, rt prot.ModifyRequestType, mvd *prot.MappedVirtualDiskV2, securityPolicy securitypolicy.SecurityPolicyEnforcer) (err error) {
+func modifyMappedVirtualDisk(ctx context.Context, rt prot.ModifyRequestType, mvd *prot.MappedVirtualDiskV2, securityPolicy securitypolicy.PolicyEnforcer) (err error) {
 	switch rt {
 	case prot.MreqtAdd:
 		mountCtx, cancel := context.WithTimeout(ctx, time.Second*5)
@@ -472,7 +472,7 @@ func modifyMappedDirectory(ctx context.Context, vsock transport.Transport, rt pr
 	}
 }
 
-func modifyMappedVPMemDevice(ctx context.Context, rt prot.ModifyRequestType, vpd *prot.MappedVPMemDeviceV2, securityPolicy securitypolicy.SecurityPolicyEnforcer) (err error) {
+func modifyMappedVPMemDevice(ctx context.Context, rt prot.ModifyRequestType, vpd *prot.MappedVPMemDeviceV2, securityPolicy securitypolicy.PolicyEnforcer) (err error) {
 	switch rt {
 	case prot.MreqtAdd:
 		return pmem.Mount(ctx, vpd.DeviceNumber, vpd.MountPath, vpd.MappingInfo, vpd.VerityInfo, securityPolicy)
@@ -492,7 +492,7 @@ func modifyMappedVPCIDevice(ctx context.Context, rt prot.ModifyRequestType, vpci
 	}
 }
 
-func modifyCombinedLayers(ctx context.Context, rt prot.ModifyRequestType, cl *prot.CombinedLayersV2, securityPolicy securitypolicy.SecurityPolicyEnforcer) (err error) {
+func modifyCombinedLayers(ctx context.Context, rt prot.ModifyRequestType, cl *prot.CombinedLayersV2, securityPolicy securitypolicy.PolicyEnforcer) (err error) {
 	switch rt {
 	case prot.MreqtAdd:
 		layerPaths := make([]string, len(cl.Layers))

@@ -23,7 +23,14 @@ var (
 
 // MountLayer first enforces the security policy for the container's layer paths
 // and then calls Mount to mount the layer paths as an overlayfs
-func MountLayer(ctx context.Context, layerPaths []string, upperdirPath, workdirPath, rootfsPath string, readonly bool, containerId string, securityPolicy securitypolicy.SecurityPolicyEnforcer) (err error) {
+func MountLayer(
+	ctx context.Context,
+	layerPaths []string,
+	upperdirPath, workdirPath, rootfsPath string,
+	readonly bool,
+	containerId string,
+	securityPolicy securitypolicy.PolicyEnforcer,
+) (err error) {
 	_, span := trace.StartSpan(ctx, "overlay::MountLayer")
 	defer span.End()
 	defer func() { oc.SetSpanStatus(span, err) }()

@@ -197,10 +197,10 @@ func Test_Security_Policy_Enforcement(t *testing.T) {
 	}
 }
 
-func openDoorSecurityPolicyEnforcer() securitypolicy.SecurityPolicyEnforcer {
-	return &securitypolicy.OpenDoorSecurityPolicyEnforcer{}
+func openDoorSecurityPolicyEnforcer() securitypolicy.PolicyEnforcer {
+	return &securitypolicy.OpenDoorEnforcer{}
 }
 
-func mountMonitoringSecurityPolicyEnforcer() *policy.MountMonitoringSecurityPolicyEnforcer {
-	return &policy.MountMonitoringSecurityPolicyEnforcer{}
+func mountMonitoringSecurityPolicyEnforcer() *policy.MountMonitoringEnforcer {
+	return &policy.MountMonitoringEnforcer{}
 }
@@ -69,7 +69,7 @@ func mount(ctx context.Context, source, target string) (err error) {
 //
 // Note: both mappingInfo and verityInfo can be non-nil at the same time, in that case
 // linear target is created first and it becomes the data/hash device for verity target.
-func Mount(ctx context.Context, device uint32, target string, mappingInfo *prot.DeviceMappingInfo, verityInfo *prot.DeviceVerityInfo, securityPolicy securitypolicy.SecurityPolicyEnforcer) (err error) {
+func Mount(ctx context.Context, device uint32, target string, mappingInfo *prot.DeviceMappingInfo, verityInfo *prot.DeviceVerityInfo, securityPolicy securitypolicy.PolicyEnforcer) (err error) {
 	mCtx, span := trace.StartSpan(ctx, "pmem::Mount")
 	defer span.End()
 	defer func() { oc.SetSpanStatus(span, err) }()
@@ -123,7 +123,7 @@ func Mount(ctx context.Context, device uint32, target string, mappingInfo *prot.
 }
 
 // Unmount unmounts `target` and removes corresponding linear and verity targets when needed
-func Unmount(ctx context.Context, devNumber uint32, target string, mappingInfo *prot.DeviceMappingInfo, verityInfo *prot.DeviceVerityInfo, securityPolicy securitypolicy.SecurityPolicyEnforcer) (err error) {
+func Unmount(ctx context.Context, devNumber uint32, target string, mappingInfo *prot.DeviceMappingInfo, verityInfo *prot.DeviceVerityInfo, securityPolicy securitypolicy.PolicyEnforcer) (err error) {
 	_, span := trace.StartSpan(ctx, "pmem::Unmount")
 	defer span.End()
 	defer func() { oc.SetSpanStatus(span, err) }()

@@ -303,12 +303,12 @@ func Test_Security_Policy_Enforcement_Unmount_Calls(t *testing.T) {
 	}
 }
 
-func openDoorSecurityPolicyEnforcer() securitypolicy.SecurityPolicyEnforcer {
-	return &securitypolicy.OpenDoorSecurityPolicyEnforcer{}
+func openDoorSecurityPolicyEnforcer() securitypolicy.PolicyEnforcer {
+	return &securitypolicy.OpenDoorEnforcer{}
 }
 
-func mountMonitoringSecurityPolicyEnforcer() *policy.MountMonitoringSecurityPolicyEnforcer {
-	return &policy.MountMonitoringSecurityPolicyEnforcer{}
+func mountMonitoringSecurityPolicyEnforcer() *policy.MountMonitoringEnforcer {
+	return &policy.MountMonitoringEnforcer{}
 }
 
 // device mapper tests

@@ -49,7 +49,7 @@ const (
 //
 // If `encrypted` is set to true, the SCSI device will be encrypted using
 // dm-crypt.
-func Mount(ctx context.Context, controller, lun uint8, target string, readonly bool, encrypted bool, options []string, verityInfo *prot.DeviceVerityInfo, securityPolicy securitypolicy.SecurityPolicyEnforcer) (err error) {
+func Mount(ctx context.Context, controller, lun uint8, target string, readonly bool, encrypted bool, options []string, verityInfo *prot.DeviceVerityInfo, securityPolicy securitypolicy.PolicyEnforcer) (err error) {
 	spnCtx, span := trace.StartSpan(ctx, "scsi::Mount")
 	defer span.End()
 	defer func() { oc.SetSpanStatus(span, err) }()
@@ -150,7 +150,7 @@ func Mount(ctx context.Context, controller, lun uint8, target string, readonly b
 // Unmount unmounts a SCSI device mounted at `target`.
 //
 // If `encrypted` is true, it removes all its associated dm-crypto state.
-func Unmount(ctx context.Context, controller, lun uint8, target string, encrypted bool, verityInfo *prot.DeviceVerityInfo, securityPolicy securitypolicy.SecurityPolicyEnforcer) (err error) {
+func Unmount(ctx context.Context, controller, lun uint8, target string, encrypted bool, verityInfo *prot.DeviceVerityInfo, securityPolicy securitypolicy.PolicyEnforcer) (err error) {
 	ctx, span := trace.StartSpan(ctx, "scsi::Unmount")
 	defer span.End()
 	defer func() { oc.SetSpanStatus(span, err) }()

@@ -616,12 +616,12 @@ func Test_Security_Policy_Enforcement_Unmount_Calls(t *testing.T) {
 	}
 }
 
-func openDoorSecurityPolicyEnforcer() securitypolicy.SecurityPolicyEnforcer {
-	return &securitypolicy.OpenDoorSecurityPolicyEnforcer{}
+func openDoorSecurityPolicyEnforcer() securitypolicy.PolicyEnforcer {
+	return &securitypolicy.OpenDoorEnforcer{}
 }
 
-func mountMonitoringSecurityPolicyEnforcer() *policy.MountMonitoringSecurityPolicyEnforcer {
-	return &policy.MountMonitoringSecurityPolicyEnforcer{}
+func mountMonitoringSecurityPolicyEnforcer() *policy.MountMonitoringEnforcer {
+	return &policy.MountMonitoringEnforcer{}
 }
 
 // dm-verity tests

@@ -0,0 +1,34 @@
+package policy
+
+import (
+	"github.com/Microsoft/hcsshim/pkg/securitypolicy"
+)
+
+// For testing. Records the number of calls to each method so we can verify
+// the expected interactions took place.
+type MountMonitoringEnforcer struct {
+	DeviceMountCalls   int
+	DeviceUnmountCalls int
+	OverlayMountCalls  int
+}
+
+var _ securitypolicy.PolicyEnforcer = (*MountMonitoringEnforcer)(nil)
+
+func (p *MountMonitoringEnforcer) EnforceDeviceMountPolicy(_ string, _ string) (err error) {
+	p.DeviceMountCalls++
+	return nil
+}
+
+func (p *MountMonitoringEnforcer) EnforceDeviceUnmountPolicy(_ string) (err error) {
+	p.DeviceUnmountCalls++
+	return nil
+}
+
+func (p *MountMonitoringEnforcer) EnforceOverlayMountPolicy(_ string, _ []string) (err error) {
+	p.OverlayMountCalls++
+	return nil
+}
+
+func (p *MountMonitoringEnforcer) EnforceCreateContainerPolicy(_ string, _ []string, _ []string) (err error) {
+	return nil
+}
@@ -46,7 +46,7 @@ func main() {
 			return err
 		}
 
-		policy, err := func() (securitypolicy.SecurityPolicy, error) {
+		policy, err := func() (securitypolicy.Policy, error) {
 			if config.AllowAll {
 				return createOpenDoorPolicy(), nil
 			} else {
@@ -99,14 +99,14 @@ type Config struct {
 	Containers []Container `toml:"container"`
 }
 
-func createOpenDoorPolicy() securitypolicy.SecurityPolicy {
-	return securitypolicy.SecurityPolicy{
+func createOpenDoorPolicy() securitypolicy.Policy {
+	return securitypolicy.Policy{
 		AllowAll: true,
 	}
 }
 
-func createPolicyFromConfig(config Config) (securitypolicy.SecurityPolicy, error) {
-	p := securitypolicy.SecurityPolicy{
+func createPolicyFromConfig(config Config) (securitypolicy.Policy, error) {
+	p := securitypolicy.Policy{
 		Containers: securitypolicy.Containers{
 			Elements: map[string]securitypolicy.Container{},
 		},