Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Working directory enforcement #1305

Merged
merged 7 commits into from
Mar 7, 2022
Merged

Working directory enforcement #1305

merged 7 commits into from
Mar 7, 2022

Conversation

anmaxvl
Copy link
Contributor

@anmaxvl anmaxvl commented Feb 23, 2022

The working directory can be set as part of container image
by WORKINGDIR Dockerfile directive or could be explicitly
set inside CRI container config. Changing the CWD of container
can change the expected behavior of a container.

If the working_dir config is not present or empty inside the
policy config, this information will be gathered from container
image spec.

Add logic to enforce CWD enforcement inside GCS and extend
policy dev tool and policy structure to support this scenario.
The enforcement is an exact string match between what's in the
policy and what's in the generated container spec. If the paths
don't match, the container will fail to start.

Add a utility funcion that picks a random container from an array
and generates a valid/invalid overlay for that container. Refactor
tests to use the new utility function

@anmaxvl anmaxvl requested a review from a team as a code owner February 23, 2022 18:49
@anmaxvl anmaxvl force-pushed the working-directory-enforcement branch from fb7695b to 5608c26 Compare February 28, 2022 22:12
@anmaxvl
Copy link
Contributor Author

anmaxvl commented Mar 1, 2022

@microsoft/containerplat anyone else can take a look? Thanks.

dcantah
dcantah approved these changes Mar 2, 2022
View reviewed changes
Copy link
Contributor

@dcantah dcantah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, couple things

anmaxvl added 7 commits March 4, 2022 12:03
@anmaxvl
Add current working directory enforcement.
9996c76 
The working directory can be set as part of container image
by WORKINGDIR Dockerfile directive or could be explicitly
set inside CRI container config. Changing the CWD of container
can change the expected behavior of a container.

If the working_dir config is not present or empty inside the
policy config, this information will be gathered from container
image spec.

Add logic to enforce CWD enforcement inside GCS and extend
policy dev tool and policy structure to support this scenario.
The enforcement is an exact string match between what's in the
policy and what's in the generated container spec. If the paths
don't match, the container will fail to start.

Signed-off-by: Maksim An <maksiman@microsoft.com>
@anmaxvl
Minor refactor of securitypolicy_test
383cc93 
Add a utility funcion that picks a random container from an array
and generates a valid/invalid overlay for that container. Refactor
tests to use the new utility function.

Signed-off-by: Maksim An <maksiman@microsoft.com>
@anmaxvl
Add unit tests for enforcing working directory
fe6c2be 
Signed-off-by: Maksim An <maksiman@microsoft.com>
@anmaxvl
pr feedback: fix loop and log seed
815cced 
Signed-off-by: Maksim An <maksiman@microsoft.com>
@anmaxvl
fix linting issue
3906817 
Signed-off-by: Maksim An <maksiman@microsoft.com>
@anmaxvl
pr feedback: use indices instead of indexes in variable names
f7d03f0 
Signed-off-by: Maksim An <maksiman@microsoft.com>
@anmaxvl
Set CWD to "/" when not set in image and policy config
d9dfbee 
Signed-off-by: Maksim An <maksiman@microsoft.com>
@anmaxvl anmaxvl force-pushed the working-directory-enforcement branch from e4ca154 to d9dfbee Compare March 4, 2022 20:05
@msscotb
Copy link
Contributor

msscotb commented Mar 6, 2022

lgtm

@anmaxvl anmaxvl merged commit f50f975 into microsoft:master Mar 7, 2022
@anmaxvl anmaxvl deleted the working-directory-enforcement branch March 7, 2022 17:42
anmaxvl pushed a commit that referenced this pull request Feb 7, 2023
@ambarve
Merged PR 5895108: update ADO to d36cc7c
6a5be6f 
Related work items: #1240, #1241, #1258, #1260, #1270, #1271, #1272, #1279, #1286, #1288, #1289, #1292, #1293, #1294, #1295, #1297, #1298, #1299, #1301, #1305, #1307, #1308, #1309, #1310, #1313, #1314, #1315, #1318, #1320, #1321, #1322, #1324, #1326, #1328, #1332, #1333, #1334, #1335, #1337
princepereira pushed a commit to princepereira/hcsshim that referenced this pull request Aug 29, 2024
@anmaxvl
Working directory enforcement (microsoft#1305)
d0e9fb8 
* Add current working directory enforcement.

The working directory can be set as part of container image
by WORKINGDIR Dockerfile directive or could be explicitly
set inside CRI container config. Changing the CWD of container
can change the expected behavior of a container.

If the working_dir config is not present or empty inside the
policy config, this information will be gathered from container
image spec.

Add logic to enforce CWD enforcement inside GCS and extend
policy dev tool and policy structure to support this scenario.
The enforcement is an exact string match between what's in the
policy and what's in the generated container spec. If the paths
don't match, the container will fail to start.

* Minor refactor of securitypolicy_test

Add a utility funcion that picks a random container from an array
and generates a valid/invalid overlay for that container. Refactor
tests to use the new utility function.

* Add unit tests for enforcing working directory

Signed-off-by: Maksim An <maksiman@microsoft.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dcantah dcantah dcantah approved these changes

@msscotb msscotb msscotb approved these changes

Assignees

@msscotb msscotb

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@anmaxvl @msscotb @dcantah