rego policy enforcer should use the same user parsing logic as GCS

go.mod

@@ -57,7 +57,7 @@ require (
 	github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect
 	github.com/docker/cli v24.0.0+incompatible // indirect
-	github.com/docker/distribution v2.8.2+incompatible // indirect
+	github.com/docker/distribution v2.8.3+incompatible // indirect
 	github.com/docker/docker v27.3.1+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.7.0 // indirect
 	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect

go.sum

@@ -79,8 +79,8 @@ github.com/dgryski/trifles v0.0.0-20230903005119-f50d829f2e54 h1:SG7nF6SRlWhcT7c
 github.com/dgryski/trifles v0.0.0-20230903005119-f50d829f2e54/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA=
 github.com/docker/cli v24.0.0+incompatible h1:0+1VshNwBQzQAx9lOl+OYCTCEAD8fKs/qeXMx3O0wqM=
 github.com/docker/cli v24.0.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8=
-github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
+github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
+github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/docker v27.3.1+incompatible h1:KttF0XoteNTicmUtBO0L2tP+J7FGRFTjaEF4k6WdhfI=
 github.com/docker/docker v27.3.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A=

internal/guest/policy/default.go

@@ -6,15 +6,15 @@ package policy
 import (
 	oci "github.com/opencontainers/runtime-spec/specs-go"
 
-	internalSpec "github.com/Microsoft/hcsshim/internal/guest/spec"
+	specGuest "github.com/Microsoft/hcsshim/internal/guest/spec"
 	"github.com/Microsoft/hcsshim/pkg/securitypolicy"
 )
 
 func ExtendPolicyWithNetworkingMounts(sandboxID string, enforcer securitypolicy.SecurityPolicyEnforcer, spec *oci.Spec) error {
 	roSpec := &oci.Spec{
 		Root: spec.Root,
 	}
-	networkingMounts := internalSpec.GenerateWorkloadContainerNetworkMounts(sandboxID, roSpec)
+	networkingMounts := specGuest.GenerateWorkloadContainerNetworkMounts(sandboxID, roSpec)
 	if err := enforcer.ExtendDefaultMounts(networkingMounts); err != nil {
 		return err
 	}

internal/guest/runtime/hcsv2/container.go

@@ -21,7 +21,7 @@ import (
 	"github.com/Microsoft/hcsshim/internal/guest/gcserr"
 	"github.com/Microsoft/hcsshim/internal/guest/prot"
 	"github.com/Microsoft/hcsshim/internal/guest/runtime"
-	specInternal "github.com/Microsoft/hcsshim/internal/guest/spec"
+	specGuest "github.com/Microsoft/hcsshim/internal/guest/spec"
 	"github.com/Microsoft/hcsshim/internal/guest/stdio"
 	"github.com/Microsoft/hcsshim/internal/guest/storage"
 	"github.com/Microsoft/hcsshim/internal/guest/transport"
@@ -115,7 +115,7 @@ func (c *Container) ExecProcess(ctx context.Context, process *oci.Process, conSe
 	// assign the uid:gid from the container.
 	if process.User.Username != "" {
 		// The exec provided a user string of it's own. Grab the uid:gid pairing for the string (if one exists).
-		if err := setUserStr(&oci.Spec{Root: c.spec.Root, Process: process}, process.User.Username); err != nil {
+		if err := specGuest.SetUserStr(&oci.Spec{Root: c.spec.Root, Process: process}, process.User.Username); err != nil {
 			return -1, err
 		}
 		// Runc doesn't care about this, and just to be safe clear it.
@@ -194,12 +194,12 @@ func (c *Container) Delete(ctx context.Context) error {
 	entity.Info("opengcs::Container::Delete")
 	if c.isSandbox {
 		// remove user mounts in sandbox container
-		if err := storage.UnmountAllInPath(ctx, specInternal.SandboxMountsDir(c.id), true); err != nil {
+		if err := storage.UnmountAllInPath(ctx, specGuest.SandboxMountsDir(c.id), true); err != nil {
 			entity.WithError(err).Error("failed to unmount sandbox mounts")
 		}
 
 		// remove hugepages mounts in sandbox container
-		if err := storage.UnmountAllInPath(ctx, specInternal.HugePagesMountsDir(c.id), true); err != nil {
+		if err := storage.UnmountAllInPath(ctx, specGuest.HugePagesMountsDir(c.id), true); err != nil {
 			entity.WithError(err).Error("failed to unmount hugepages mounts")
 		}
 	}

internal/guest/runtime/hcsv2/sandbox_container.go

@@ -14,21 +14,21 @@ import (
 	"go.opencensus.io/trace"
 
 	"github.com/Microsoft/hcsshim/internal/guest/network"
-	specInternal "github.com/Microsoft/hcsshim/internal/guest/spec"
+	specGuest "github.com/Microsoft/hcsshim/internal/guest/spec"
 	"github.com/Microsoft/hcsshim/internal/oc"
 	"github.com/Microsoft/hcsshim/pkg/annotations"
 )
 
 func getSandboxHostnamePath(id string) string {
-	return filepath.Join(specInternal.SandboxRootDir(id), "hostname")
+	return filepath.Join(specGuest.SandboxRootDir(id), "hostname")
 }
 
 func getSandboxHostsPath(id string) string {
-	return filepath.Join(specInternal.SandboxRootDir(id), "hosts")
+	return filepath.Join(specGuest.SandboxRootDir(id), "hosts")
 }
 
 func getSandboxResolvPath(id string) string {
-	return filepath.Join(specInternal.SandboxRootDir(id), "resolv.conf")
+	return filepath.Join(specGuest.SandboxRootDir(id), "resolv.conf")
 }
 
 func setupSandboxContainerSpec(ctx context.Context, id string, spec *oci.Spec) (err error) {
@@ -38,7 +38,7 @@ func setupSandboxContainerSpec(ctx context.Context, id string, spec *oci.Spec) (
 	span.AddAttributes(trace.StringAttribute("cid", id))
 
 	// Generate the sandbox root dir
-	rootDir := specInternal.SandboxRootDir(id)
+	rootDir := specGuest.SandboxRootDir(id)
 	if err := os.MkdirAll(rootDir, 0755); err != nil {
 		return errors.Wrapf(err, "failed to create sandbox root directory %q", rootDir)
 	}
@@ -71,7 +71,7 @@ func setupSandboxContainerSpec(ctx context.Context, id string, spec *oci.Spec) (
 	}
 
 	// Write resolv.conf
-	ns, err := getNetworkNamespace(getNetworkNamespaceID(spec))
+	ns, err := getNetworkNamespace(specGuest.GetNetworkNamespaceID(spec))
 	if err != nil {
 		return err
 	}
@@ -98,13 +98,13 @@ func setupSandboxContainerSpec(ctx context.Context, id string, spec *oci.Spec) (
 	// guest. The username field is used as a temporary holding place until we can perform this work here when
 	// we actually have the rootfs to inspect.
 	if spec.Process.User.Username != "" {
-		if err := setUserStr(spec, spec.Process.User.Username); err != nil {
+		if err := specGuest.SetUserStr(spec, spec.Process.User.Username); err != nil {
 			return err
 		}
 	}
 
 	if rlimCore := spec.Annotations[annotations.RLimitCore]; rlimCore != "" {
-		if err := setCoreRLimit(spec, rlimCore); err != nil {
+		if err := specGuest.SetCoreRLimit(spec, rlimCore); err != nil {
 			return err
 		}
 	}