Provide error message when allow_stdio_access creates and undecideable error

pkg/securitypolicy/framework.rego

@@ -1049,3 +1049,59 @@ errors[fragment_framework_svn_error] {
  semver.compare(data[input.namespace].framework_svn, svn) > 0
  fragment_framework_svn_error := concat(" ", ["fragment framework_svn is ahead of the current svn:", data[input.namespace].framework_svn, ">", svn])
 }
+
+errors["containers only distinguishable by allow_stdio_access"] {
+ input.rule == "create_container"
+
+ not container_started
+ possible_containers := [container |
+ container := data.metadata.matches[input.containerID][_]
+ privileged_ok(container.allow_elevated)
+ workingDirectory_ok(container.working_dir)
+ command_ok(container.command)
+ mountList_ok(container.mounts, container.allow_elevated)
+ ]
+
+ count(possible_containers) > 0
+
+ # check to see if the environment variables match, dropping
+ # them if allowed (and necessary)
+ env_list := valid_envs_for_all(possible_containers)
+ containers := [container |
+ container := possible_containers[_]
+ envList_ok(container.env_rules, env_list)
+ ]
+
+ count(containers) > 0
+
+ allow_stdio_access := containers[0].allow_stdio_access
+ some c in containers
+ c.allow_stdio_access != allow_stdio_access
+}
+
+errors["external processes only distinguishable by allow_stdio_access"] {
+ input.rule == "exec_external"
+
+ possible_processes := [process |
+ process := candidate_external_processes[_]
+ workingDirectory_ok(process.working_dir)
+ command_ok(process.command)
+ ]
+
+ count(possible_processes) > 0
+
+ # check to see if the environment variables match, dropping
+ # them if allowed (and necessary)
+ env_list := valid_envs_for_all(possible_processes)
+ processes := [process |
+ process := possible_processes[_]
+ envList_ok(process.env_rules, env_list)
+ ]
+
+ count(processes) > 0
+
+ allow_stdio_access := processes[0].allow_stdio_access
+ some p in processes
+ p.allow_stdio_access != allow_stdio_access
+}
+

pkg/securitypolicy/regopolicy_test.go

@@ -3957,6 +3957,75 @@ func Test_Rego_EnvListGetsRedacted(t *testing.T) {
  }
 }
 
+func Test_Rego_Enforce_CreateContainer_ConflictingAllowStdioAccessHasErrorMessage(t *testing.T) {
+ constraints := generateConstraints(testRand, 1)
+ constraints.containers[0].AllowStdioAccess = true
+
+ // create a "duplicate" as far as create container is concerned excep for
+ // a different "AllowStdioAccess" value
+ duplicate := &securityPolicyContainer{
+ Command: constraints.containers[0].Command,
+ EnvRules: constraints.containers[0].EnvRules,
+ WorkingDir: constraints.containers[0].WorkingDir,
+ Mounts: constraints.containers[0].Mounts,
+ Layers: constraints.containers[0].Layers,
+ ExecProcesses: generateExecProcesses(testRand),
+ Signals: generateListOfSignals(testRand, 0, maxSignalNumber),
+ AllowElevated: constraints.containers[0].AllowElevated,
+ AllowStdioAccess: false,
+ }
+
+ constraints.containers = append(constraints.containers, duplicate)
+
+ tc, err := setupRegoCreateContainerTest(constraints, constraints.containers[0], false)
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ _, _, err = tc.policy.EnforceCreateContainerPolicy(tc.sandboxID, tc.containerID, tc.argList, tc.envList, tc.workingDir, tc.mounts, false)
+
+ // not getting an error means something is broken
+ if err == nil {
+ t.Fatalf("Unexpected success when enforcing policy")
+ }
+
+ if !strings.Contains(err.Error(), "containers only distinguishable by allow_stdio_access") {
+ t.Fatal("No error message given for conflicting allow_stdio_access on otherwise 'same' containers")
+ }
+}
+
+func Test_Rego_ExecExternalProcessPolicy_ConflictingAllowStdioAccessHasErrorMessage(t *testing.T) {
+ constraints := generateConstraints(testRand, 1)
+ process := generateExternalProcess(testRand)
+ process.allowStdioAccess = false
+ duplicate := process.clone()
+ duplicate.allowStdioAccess = true
+
+ constraints.externalProcesses = append(constraints.externalProcesses, process)
+ constraints.externalProcesses = append(constraints.externalProcesses, duplicate)
+ securityPolicy := constraints.toPolicy()
+ defaultMounts := generateMounts(testRand)
+ privilegedMounts := generateMounts(testRand)
+
+ policy, err := newRegoPolicy(securityPolicy.marshalRego(),
+ toOCIMounts(defaultMounts),
+ toOCIMounts(privilegedMounts))
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ envList := buildEnvironmentVariablesFromEnvRules(process.envRules, testRand)
+
+ _, _, err = policy.EnforceExecExternalProcessPolicy(process.command, envList, process.workingDir)
+ if err == nil {
+ t.Fatal("Policy was unexpectedly not enforced")
+ }
+
+ if !strings.Contains(err.Error(), "external processes only distinguishable by allow_stdio_access") {
+ t.Fatal("No error message given for conflicting allow_stdio_access on otherwise 'same' external processes")
+ }
+}
+
 //
 // Setup and "fixtures" follow...
 //