From 1c18d6e98b34151c214da757883946224d7a7238 Mon Sep 17 00:00:00 2001
From: Maksim An <maksiman@microsoft.com>
Date: Wed, 9 Mar 2022 18:16:53 -0800
Subject: [PATCH] Default to deny all security policy.

When bringing up the UVM default to closed door security policy
to reject any modification requests prior to security policy is set
inside GCS.
When security policy is empty, default to open door policy.

Signed-off-by: Maksim An <maksiman@microsoft.com>
---
 internal/guest/runtime/hcsv2/uvm.go                        | 4 ++--
 internal/tools/securitypolicy/README.md                    | 1 -
 internal/uvm/security_policy.go                            | 7 ++++++-
 pkg/securitypolicy/securitypolicy.go                       | 5 +++--
 .../Microsoft/hcsshim/internal/uvm/security_policy.go      | 7 ++++++-
 .../Microsoft/hcsshim/pkg/securitypolicy/securitypolicy.go | 5 +++--
 6 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/internal/guest/runtime/hcsv2/uvm.go b/internal/guest/runtime/hcsv2/uvm.go
index 7de89dc9e3..36e9834110 100644
--- a/internal/guest/runtime/hcsv2/uvm.go
+++ b/internal/guest/runtime/hcsv2/uvm.go
@@ -16,7 +16,7 @@ import (
 	"syscall"
 	"time"
 
-	shellwords "github.com/mattn/go-shellwords"
+	"github.com/mattn/go-shellwords"
 	"github.com/pkg/errors"
 
 	"github.com/Microsoft/hcsshim/internal/guest/gcserr"
@@ -66,7 +66,7 @@ func NewHost(rtime runtime.Runtime, vsock transport.Transport) *Host {
 		rtime:                     rtime,
 		vsock:                     vsock,
 		securityPolicyEnforcerSet: false,
-		securityPolicyEnforcer:    &securitypolicy.OpenDoorSecurityPolicyEnforcer{},
+		securityPolicyEnforcer:    &securitypolicy.ClosedDoorSecurityPolicyEnforcer{},
 	}
 }
 
diff --git a/internal/tools/securitypolicy/README.md b/internal/tools/securitypolicy/README.md
index 52ecf95c54..0e82674496 100644
--- a/internal/tools/securitypolicy/README.md
+++ b/internal/tools/securitypolicy/README.md
@@ -159,4 +159,3 @@ isn't in the TOML configuration.
 If the version of the pause container changes from 3.1, you will need to update
 the hardcoded root hash by running the `dmverity-vhd` to compute the root hash
 for the new container and update this tool accordingly.
-
diff --git a/internal/uvm/security_policy.go b/internal/uvm/security_policy.go
index f63b3ec64d..89278acb6b 100644
--- a/internal/uvm/security_policy.go
+++ b/internal/uvm/security_policy.go
@@ -20,7 +20,12 @@ func (uvm *UtilityVM) SetSecurityPolicy(ctx context.Context, policy string) erro
 	}
 
 	if policy == "" {
-		return nil
+		openDoorPolicy := securitypolicy.NewOpenDoorPolicy()
+		policyString, err := openDoorPolicy.EncodeToString()
+		if err != nil {
+			return err
+		}
+		policy = policyString
 	}
 
 	uvm.m.Lock()
diff --git a/pkg/securitypolicy/securitypolicy.go b/pkg/securitypolicy/securitypolicy.go
index 42ea861024..87cf644aef 100644
--- a/pkg/securitypolicy/securitypolicy.go
+++ b/pkg/securitypolicy/securitypolicy.go
@@ -160,12 +160,13 @@ type SecurityPolicy struct {
 	Containers Containers `json:"containers"`
 }
 
+// EncodeToString returns base64 encoded string representation of SecurityPolicy.
 func (sp *SecurityPolicy) EncodeToString() (string, error) {
-	j, err := json.Marshal(sp)
+	jsn, err := json.Marshal(sp)
 	if err != nil {
 		return "", err
 	}
-	return base64.StdEncoding.EncodeToString(j), nil
+	return base64.StdEncoding.EncodeToString(jsn), nil
 }
 
 type Containers struct {
diff --git a/test/vendor/github.com/Microsoft/hcsshim/internal/uvm/security_policy.go b/test/vendor/github.com/Microsoft/hcsshim/internal/uvm/security_policy.go
index f63b3ec64d..89278acb6b 100644
--- a/test/vendor/github.com/Microsoft/hcsshim/internal/uvm/security_policy.go
+++ b/test/vendor/github.com/Microsoft/hcsshim/internal/uvm/security_policy.go
@@ -20,7 +20,12 @@ func (uvm *UtilityVM) SetSecurityPolicy(ctx context.Context, policy string) erro
 	}
 
 	if policy == "" {
-		return nil
+		openDoorPolicy := securitypolicy.NewOpenDoorPolicy()
+		policyString, err := openDoorPolicy.EncodeToString()
+		if err != nil {
+			return err
+		}
+		policy = policyString
 	}
 
 	uvm.m.Lock()
diff --git a/test/vendor/github.com/Microsoft/hcsshim/pkg/securitypolicy/securitypolicy.go b/test/vendor/github.com/Microsoft/hcsshim/pkg/securitypolicy/securitypolicy.go
index 42ea861024..87cf644aef 100644
--- a/test/vendor/github.com/Microsoft/hcsshim/pkg/securitypolicy/securitypolicy.go
+++ b/test/vendor/github.com/Microsoft/hcsshim/pkg/securitypolicy/securitypolicy.go
@@ -160,12 +160,13 @@ type SecurityPolicy struct {
 	Containers Containers `json:"containers"`
 }
 
+// EncodeToString returns base64 encoded string representation of SecurityPolicy.
 func (sp *SecurityPolicy) EncodeToString() (string, error) {
-	j, err := json.Marshal(sp)
+	jsn, err := json.Marshal(sp)
 	if err != nil {
 		return "", err
 	}
-	return base64.StdEncoding.EncodeToString(j), nil
+	return base64.StdEncoding.EncodeToString(jsn), nil
 }
 
 type Containers struct {