rego policy enforcer should use the same user parsing logic as GCS (#2405)

This PR fixes a discrepancy between user info handling between
GCS and rego policy enforcer. For example, GCS doesn't require the
user/group to exist in container's /etc/passwd and /etc/group
and has a fallback to UID and GID 0, when the user is absent.
Rego enforcer's `GetUserInfo`, however, always tries to
lookup user/group in /etc/passwd and /etc/group and returns
an error when the UID doesn't exist. This behavior is inconsistent
with non confidential LCOW workloads and fixed in this PR.

To avoid circular imports, the spec.go and spec_devices.go under
`internal/guest/runtime/hcsv2` have been moved under
`internal/guest/spec` and the dependent code updated accordingly.
As a result a bunch of methods are now exported, but still under
`internal`, so this shouldn't cause problems.

User parsing has been updated and split into `ParseUserStr`, which
returns UID and GID for a given `username` string and `SetUserStr`,
which just sets the UID and GID for the OCI process.

Rego enforcer's `GetUserInfo` now prioritizes the result of
`ParseUserStr` and fallbacks to the previous behavior of UID/GID
lookup in container's filesystem.

Signed-off-by: Maksim An <maksiman@microsoft.com>

Author: anmaxvl

go.mod

@@ -57,7 +57,7 @@ require (
 	github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect
 	github.com/docker/cli v24.0.0+incompatible // indirect
-	github.com/docker/distribution v2.8.2+incompatible // indirect
+	github.com/docker/distribution v2.8.3+incompatible // indirect
 	github.com/docker/docker v27.3.1+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.7.0 // indirect
 	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect

go.sum

@@ -79,8 +79,8 @@ github.com/dgryski/trifles v0.0.0-20230903005119-f50d829f2e54 h1:SG7nF6SRlWhcT7c
 github.com/dgryski/trifles v0.0.0-20230903005119-f50d829f2e54/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA=
 github.com/docker/cli v24.0.0+incompatible h1:0+1VshNwBQzQAx9lOl+OYCTCEAD8fKs/qeXMx3O0wqM=
 github.com/docker/cli v24.0.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8=
-github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
+github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
+github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/docker v27.3.1+incompatible h1:KttF0XoteNTicmUtBO0L2tP+J7FGRFTjaEF4k6WdhfI=
 github.com/docker/docker v27.3.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A=

internal/guest/policy/default.go

@@ -6,15 +6,15 @@ package policy
 import (
 	oci "github.com/opencontainers/runtime-spec/specs-go"
 
-	internalSpec "github.com/Microsoft/hcsshim/internal/guest/spec"
+	specGuest "github.com/Microsoft/hcsshim/internal/guest/spec"
 	"github.com/Microsoft/hcsshim/pkg/securitypolicy"
 )
 
 func ExtendPolicyWithNetworkingMounts(sandboxID string, enforcer securitypolicy.SecurityPolicyEnforcer, spec *oci.Spec) error {
 	roSpec := &oci.Spec{
 		Root: spec.Root,
 	}
-	networkingMounts := internalSpec.GenerateWorkloadContainerNetworkMounts(sandboxID, roSpec)
+	networkingMounts := specGuest.GenerateWorkloadContainerNetworkMounts(sandboxID, roSpec)
 	if err := enforcer.ExtendDefaultMounts(networkingMounts); err != nil {
 		return err
 	}

internal/guest/runtime/hcsv2/container.go

@@ -21,7 +21,7 @@ import (
 	"github.com/Microsoft/hcsshim/internal/guest/gcserr"
 	"github.com/Microsoft/hcsshim/internal/guest/prot"
 	"github.com/Microsoft/hcsshim/internal/guest/runtime"
-	specInternal "github.com/Microsoft/hcsshim/internal/guest/spec"
+	specGuest "github.com/Microsoft/hcsshim/internal/guest/spec"
 	"github.com/Microsoft/hcsshim/internal/guest/stdio"
 	"github.com/Microsoft/hcsshim/internal/guest/storage"
 	"github.com/Microsoft/hcsshim/internal/guest/transport"
@@ -115,7 +115,7 @@ func (c *Container) ExecProcess(ctx context.Context, process *oci.Process, conSe
 	// assign the uid:gid from the container.
 	if process.User.Username != "" {
 		// The exec provided a user string of it's own. Grab the uid:gid pairing for the string (if one exists).
-		if err := setUserStr(&oci.Spec{Root: c.spec.Root, Process: process}, process.User.Username); err != nil {
+		if err := specGuest.SetUserStr(&oci.Spec{Root: c.spec.Root, Process: process}, process.User.Username); err != nil {
 			return -1, err
 		}
 		// Runc doesn't care about this, and just to be safe clear it.
@@ -194,12 +194,12 @@ func (c *Container) Delete(ctx context.Context) error {
 	entity.Info("opengcs::Container::Delete")
 	if c.isSandbox {
 		// remove user mounts in sandbox container
-		if err := storage.UnmountAllInPath(ctx, specInternal.SandboxMountsDir(c.id), true); err != nil {
+		if err := storage.UnmountAllInPath(ctx, specGuest.SandboxMountsDir(c.id), true); err != nil {
 			entity.WithError(err).Error("failed to unmount sandbox mounts")
 		}
 
 		// remove hugepages mounts in sandbox container
-		if err := storage.UnmountAllInPath(ctx, specInternal.HugePagesMountsDir(c.id), true); err != nil {
+		if err := storage.UnmountAllInPath(ctx, specGuest.HugePagesMountsDir(c.id), true); err != nil {
 			entity.WithError(err).Error("failed to unmount hugepages mounts")
 		}
 	}

internal/guest/runtime/hcsv2/sandbox_container.go

@@ -14,21 +14,21 @@ import (
 	"go.opencensus.io/trace"
 
 	"github.com/Microsoft/hcsshim/internal/guest/network"
-	specInternal "github.com/Microsoft/hcsshim/internal/guest/spec"
+	specGuest "github.com/Microsoft/hcsshim/internal/guest/spec"
 	"github.com/Microsoft/hcsshim/internal/oc"
 	"github.com/Microsoft/hcsshim/pkg/annotations"
 )
 
 func getSandboxHostnamePath(id string) string {
-	return filepath.Join(specInternal.SandboxRootDir(id), "hostname")
+	return filepath.Join(specGuest.SandboxRootDir(id), "hostname")
 }
 
 func getSandboxHostsPath(id string) string {
-	return filepath.Join(specInternal.SandboxRootDir(id), "hosts")
+	return filepath.Join(specGuest.SandboxRootDir(id), "hosts")
 }
 
 func getSandboxResolvPath(id string) string {
-	return filepath.Join(specInternal.SandboxRootDir(id), "resolv.conf")
+	return filepath.Join(specGuest.SandboxRootDir(id), "resolv.conf")
 }
 
 func setupSandboxContainerSpec(ctx context.Context, id string, spec *oci.Spec) (err error) {
@@ -38,7 +38,7 @@ func setupSandboxContainerSpec(ctx context.Context, id string, spec *oci.Spec) (
 	span.AddAttributes(trace.StringAttribute("cid", id))
 
 	// Generate the sandbox root dir
-	rootDir := specInternal.SandboxRootDir(id)
+	rootDir := specGuest.SandboxRootDir(id)
 	if err := os.MkdirAll(rootDir, 0755); err != nil {
 		return errors.Wrapf(err, "failed to create sandbox root directory %q", rootDir)
 	}
@@ -71,7 +71,7 @@ func setupSandboxContainerSpec(ctx context.Context, id string, spec *oci.Spec) (
 	}
 
 	// Write resolv.conf
-	ns, err := getNetworkNamespace(getNetworkNamespaceID(spec))
+	ns, err := getNetworkNamespace(specGuest.GetNetworkNamespaceID(spec))
 	if err != nil {
 		return err
 	}
@@ -98,13 +98,13 @@ func setupSandboxContainerSpec(ctx context.Context, id string, spec *oci.Spec) (
 	// guest. The username field is used as a temporary holding place until we can perform this work here when
 	// we actually have the rootfs to inspect.
 	if spec.Process.User.Username != "" {
-		if err := setUserStr(spec, spec.Process.User.Username); err != nil {
+		if err := specGuest.SetUserStr(spec, spec.Process.User.Username); err != nil {
 			return err
 		}
 	}
 
 	if rlimCore := spec.Annotations[annotations.RLimitCore]; rlimCore != "" {
-		if err := setCoreRLimit(spec, rlimCore); err != nil {
+		if err := specGuest.SetCoreRLimit(spec, rlimCore); err != nil {
 			return err
 		}
 	}