Skip to content

Commit

Permalink
policy: strengthen bundle id validation
Browse files Browse the repository at this point in the history
Ensure bundle id read from annotation matches expected format

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
  • Loading branch information
Redent0r committed Jan 7, 2025
1 parent 3627201 commit 45ef622
Showing 1 changed file with 5 additions and 1 deletion.
6 changes: 5 additions & 1 deletion src/tools/genpolicy/rules.rego
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ default AllowRequestsFailingPolicy := false
# Constants
S_NAME_KEY = "io.kubernetes.cri.sandbox-name"
S_NAMESPACE_KEY = "io.kubernetes.cri.sandbox-namespace"
BUNDLE_ID = "[a-z0-9]{64}"

CreateContainerRequest {
# Check if the input request should be rejected even before checking the
Expand Down Expand Up @@ -468,6 +469,9 @@ allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) {
bundle_path := i_oci.Annotations["io.katacontainers.pkg.oci.bundle_path"]
bundle_id := replace(bundle_path, "/run/containerd/io.containerd.runtime.v2.task/k8s.io/", "")

bundle_id_format := concat("", ["^", BUNDLE_ID, "$"])
regex.match(bundle_id_format, bundle_id)

key := "io.kubernetes.cri.sandbox-id"

p_regex := p_oci.Annotations[key]
Expand Down Expand Up @@ -1226,7 +1230,7 @@ CopyFileRequest {
some regex1 in policy_data.request_defaults.CopyFileRequest
regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix)
regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath)
regex4 := replace(regex3, "$(bundle-id)", "[a-z0-9]{64}")
regex4 := replace(regex3, "$(bundle-id)", BUNDLE_ID)
print("CopyFileRequest: regex4 =", regex4)

regex.match(regex4, input.path)
Expand Down

0 comments on commit 45ef622

Please sign in to comment.