feat: add devices and capabilities support for containerd engine

Signed-off-by: Alessio Greggi <ale_grey_91@hotmail.it>
2024-05-25 01:56:14 +02:00 · 2021-12-11 12:16:05 +01:00 · 2021-12-11 12:16:05 +01:00 · e5e919bebe
parent 696cea1e87
commit e5e919bebe
2 changed files with 43 additions and 3 deletions
--- a/udica/parse.py
+++ b/udica/parse.py
@ -215,7 +215,7 @@ class ContainerdHelper(EngineHelper):

    @getter_decorator
    def get_devices(self, data):
-        return []
+        return data[0]["Spec"]["linux"]["devices"]

    @getter_decorator
    def get_mounts(self, data):
@ -235,6 +235,12 @@ class ContainerdHelper(EngineHelper):

    @getter_decorator
    def get_caps(self, data, opts):
+        if opts["Caps"]:
+            return (
+                opts["Caps"].split(",") if opts["Caps"] not in ["None", "none"] else []
+            )
+        else:
+            return data[0]["Spec"]["capabilities"]["effective"]
        return []


@ -288,7 +294,6 @@ def parse_avc_file(data):


 def validate_container_engine(ContainerEngine):
-    print(ContainerEngine)
    if ContainerEngine in ENGINE_ALL + ["CRIO", "-"]:
        # Fix CRIO reference to use ENGINE_CRIO
        if ContainerEngine == "CRIO":
--- a/udica/policy.py
+++ b/udica/policy.py
@ -172,7 +172,9 @@ def create_policy(

    # devices
    # Not applicable for CRI-O container engine
-    if inspect_format != "CRI-O":
+    if inspect_format == "containerd":
+        write_policy_for_containerd_devices(devices, policy)
+    elif inspect_format != "CRI-0":
        write_policy_for_podman_devices(devices, policy)

    # mounts
@ -431,6 +433,39 @@ def write_policy_for_podman_mounts(mounts, policy):
                        + " ))) \n"
                    )

+
+def write_policy_for_containerd_devices(devices, policy):
+    # devices JSON example:
+    # [
+    #   {
+    #     "path": "/dev/zero",
+    #     "type": "c",
+    #     "major": 1,
+    #     "minor": 5,
+    #     "fileMode": 438,
+    #     "uid": 0,
+    #     "gid": 0
+    #   }
+    # ]
+    for item in sorted(devices, key=lambda x: str(x["path"])):
+        contexts = list_contexts(item["path"])
+        for context in contexts:
+            policy.write(
+                "    (allow process "
+                + context
+                + " ( blk_file ( "
+                + perms.perm["device_rw"]
+                + " ))) \n"
+            )
+            policy.write(
+                "    (allow process "
+                + context
+                + " ( chr_file ( "
+                + perms.perm["device_rw"]
+                + " ))) \n"
+            )
+
+
 def write_policy_for_containerd_mounts(mounts, policy):
    # mount JSON example:
    # {