mirror/ udica
1
1
Fork 0
mirror of https://github.com/containers/udica synced 2024-05-10 23:36:11 +02:00
Code Issues
238 Commits 3 Branches 24 Tags 1,022 KiB
Commit Graph

238 Commits

Author SHA1 Message Date
Vit Mojzis 131d228c6a confined: allow asynchronous I/O operations 
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
 2024-03-04 12:59:53 +01:00
Vit Mojzis f411c14698 confined: make "-l" non optional 
The confinedom_user_login_macro is needed for all custom users.

Also, allow the new user type to be accessed via remote login.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
 2024-03-01 18:48:20 +01:00
Vit Mojzis d444e67ead Add tests covering confined user policy generation 
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
 2024-02-12 19:53:57 +01:00
Vit Mojzis 3cda61f9a5 Add option to generate custom policy for a confined user 
Udica can now generate cil policy for a confined user using a list of
macros.
The macros are based on policy templates created by Patrik Končitý:
https://github.com/Koncpa/confined-users-policy

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
 2024-02-12 19:53:57 +01:00
vmojzis 106a80f399
Merge pull request #135 from containers/renovate/major-ci-vm-image 
Update dependency containers/automation_images to v20231208
 2023-12-13 10:58:12 +01:00
renovate[bot] fa7fe1beaa
Update dependency containers/automation_images to v20231208 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2023-12-12 17:15:17 +00:00
Vit Mojzis b19842e937 udica-0.2.8 
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
 2023-11-29 11:02:48 +01:00
vmojzis 3bc6001b6d
Merge pull request #131 from containers/renovate/major-ci-vm-image 
Update dependency containers/automation_images to v20231004
 2023-11-29 10:50:24 +01:00
Chris Evich 5428c0bbd4
CI: Drop release from test name 
Display of release number is a burden to update on new CI VM images and
getting it wrong (or forgetting) could be unhelpful to developers.
Since it's mainly cosmetic, and not used by any tests, remove it.

Signed-off-by: Chris Evich <cevich@redhat.com>
 2023-10-18 10:04:31 -04:00
renovate[bot] 16b952d37e
Update dependency containers/automation_images to v20231004 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2023-10-17 17:39:49 +00:00
vmojzis 79faf69acd
Merge pull request #128 from containers/renovate/major-ci-vm-image 
Update dependency containers/automation_images to v20230614
 2023-06-19 15:20:34 +02:00
renovate[bot] 0e25295beb
Update dependency containers/automation_images to v20230614 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2023-06-14 16:43:38 +00:00
Chris Evich 24c62fc041
Merge pull request #127 from containers/renovate/major-ci-vm-image 
Update dependency containers/automation_images to v20230426
 2023-05-15 10:38:01 -04:00
Juan Antonio Osorio 81c7e594dd
Merge pull request #126 from containers/renovate/actions-checkout-3.x 
[skip-ci] Update actions/checkout action to v3
 2023-05-08 18:05:50 +03:00
renovate[bot] 313ece36ce
Update dependency containers/automation_images to v20230426 
Also update Fedora name.

Signed-off-by: Renovate Bot <bot@renovateapp.com>
Signed-off-by: Chris Evich <cevich@redhat.com>
 2023-05-03 10:02:32 -04:00
renovate[bot] 61e4adfd7c
[skip-ci] Update actions/checkout action to v3 
Signed-off-by: Renovate Bot <bot@renovateapp.com>
 2023-04-24 16:12:24 +00:00
vmojzis 3f3b209413
Merge pull request #122 from containers/renovate/major-ci-vm-image 
Update dependency containers/automation_images to v20230405
 2023-04-24 18:12:07 +02:00
Vit Mojzis 6a7382bead Fix generating policy for Crio mounts 
Fix issue introduced by
Commit 7c7b9ad505
"Avoid duplicate rules for accessing  mounts and devices"
where policy rules for "read-only mounts" are not generated properly.

Adjust Crio basic test to incorporate a read only mount that is not
covered by a special case ("/home" is handled by "home_container" and
anything under "/var/lib/kubelet" is ignored).

Thanks https://github.com/arcardon (jamjcardona@sbcglobal.net) for
spotting this in the code.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
 2023-04-20 13:17:24 +02:00
renovate[bot] 558f7f54ec
Update dependency containers/automation_images to v20230405 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2023-04-18 00:26:36 +00:00
Chris Evich 6754ed0713
Merge pull request #121 from containers/renovate/configure 
Configure Renovate
 2023-04-17 11:49:46 -04:00
renovate[bot] 3e33f1ade8
Add renovate configuration 
Signed-off-by: Chris Evich <cevich@redhat.com>
 2023-04-11 14:32:34 -04:00
Chris Evich 9e711b9044
Merge pull request #120 from cevich/image_update 
Cirrus: Update CI VM Images
 2023-04-11 10:26:50 -04:00
Chris Evich c2a33cb50c
Cirrus: Update CI VM Images 
Signed-off-by: Chris Evich <cevich@redhat.com>
 2023-03-29 15:34:28 -04:00
Chris Evich 5d6feb3a6c
Fix several lint findings 
Signed-off-by: Chris Evich <cevich@redhat.com>
 2023-03-29 15:34:28 -04:00
Chris Evich 07ff36fd09
Show diff when checking formatting 
Otherwise, all you get in CI is a failure notice w/o any indication as
to why.

Signed-off-by: Chris Evich <cevich@redhat.com>
 2023-03-29 15:26:34 -04:00
Chris Evich dd5565541b
Merge pull request #119 from cevich/F37_ci_vm_images 
Cirrus: Update CI VM Images to F37
 2023-02-08 14:30:07 -05:00
Chris Evich e4383f9b29
Cirrus: Update CI VM images to F37 
Ref: https://github.com/containers/automation_images/pull/246

Also, fully remove any hit that CI will ever work on the prior-supported
Fedora release.  Doing so requires some special CNI setup in the podman
repository CI scripts.  I attempted to re-use them here (in `build.sh`)
but it was too difficult and likely would be error-prone.

Signed-off-by: Chris Evich <cevich@redhat.com>
 2023-01-17 16:04:15 -05:00
Vit Mojzis 34c0f13758 Rename --device-access to --devices 
This makes parameters more consistent.
Also, describe the new parameter in man page.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
 2022-10-20 16:50:15 +02:00
Martin Skøtt 0d3e3194e2 Add unit test for --device-access 
Signed-off-by: Martin Skøtt <martin@skoett.name>
 2022-10-04 10:25:37 +02:00
Martin Skøtt a2f0e4588e Syntax changes after running black 
Signed-off-by: Martin Skøtt <martin@skoett.name>
 2022-10-04 10:25:37 +02:00
Martin Skøtt a72b8fffc8 Add ---device--access option 
Signed-off-by: Martin Skøtt <martin@skoett.name>
 2022-10-04 10:25:37 +02:00
Chris Evich 4a64ff7c1b
Merge pull request #115 from cevich/new_images 
Cirrus: Update CI VM images
 2022-09-08 12:59:38 -04:00
Chris Evich bd32eaf43e
Cirrus: Update CI VM images 
Note F35 is disabled due to golang 1.18 requirement in podman. The
PRIOR_FEDORA... runs may be put back in place when F37 is released.

Signed-off-by: Chris Evich <cevich@redhat.com>
 2022-08-29 14:23:36 -04:00
Vit Mojzis e7a4418143 udica-0.2.7 
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
 2022-06-22 13:41:06 +02:00
Vit Mojzis 79a163a774 Document why policies may be more loose than expected 
Explain the implications of generating policy based on security labels
as opposed to filesystem paths, port numbers, etc.

https://github.com/containers/udica/issues/7

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
 2022-06-22 12:01:11 +02:00
Vit Mojzis 1d15fa01ec github: Disable auto cancel when job fails 
When a test job fails, GitHub automatically cancels other similar tests.
This often leads to "Fedora" jobs being canceled because of a trivial
issue on centOS or older Fedora versions.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
 2022-06-22 11:42:06 +02:00
Vit Mojzis 353c0d37ef github: Use quay.io registry for test images 
quay.io provides centos stream 8 and 9 images as well as working
fedora:latest image.

Fixes:
  checks / tests (centos:centos8):
  Run rpm -q python3 || dnf install --nogpgcheck -y python3
  package python3 is not installed
  CentOS Linux 8 - AppStream                      195  B/s |  38  B     00:00
  Error: Failed to download metadata for repo 'appstream': Cannot prepare internal mirrorlist: No URLs in mirrorlist
  Error: Process completed with exit code 1.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
 2022-06-22 11:41:10 +02:00
Vit Mojzis d6e5a0d99a tests: Remove duplicate rules from test cil files 
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
 2022-06-22 11:41:10 +02:00
Vit Mojzis 7c7b9ad505 Avoid duplicate rules for accessing mounts and devices 
list_contexts may return duplicate contexts. This combined with multiple
mounts/devices that may share contexts leads to many duplicate allow
rules.

Example:
  tests/test_basic.podman.cil:8-11
  tests/test_basic.podman.cil:392-395
  duplicate RW mount permissions for var_spool_t

  tests/test_basic.podman.cil:28-31
  tests/test_basic.podman.cil:264-267
  tests/test_basic.podman.cil:304-307
  duplicate RW mount permissions for abrt_retrace_spool_t

This patch significantly reduces most test cil policies
e.g. test_basic.podman.cil 396 -> 253 lines
     test_basic.docker.cil 394 -> 254 lines

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
 2022-06-22 11:41:10 +02:00
Vit Mojzis d296573806 Improve containerd support 
- Auto-detct containerd inspect files
- Use write_policy_for_podman_devices instead of a custom function
- Fix "path" to capabilities
- Fix issues reported by lint and black

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
 2022-06-22 11:41:10 +02:00
alegrey91 feb76a3d63 docs: add containerd support 
Signed-off-by: Alessio Greggi <ale_grey_91@hotmail.it>
 2022-06-21 16:04:43 +02:00
alegrey91 e5e919bebe feat: add devices and capabilities support for containerd engine 
Signed-off-by: Alessio Greggi <ale_grey_91@hotmail.it>
 2022-06-20 18:05:46 +02:00
alegrey91 696cea1e87 feat: add ports and mounts support for containerd engine 
Signed-off-by: Alessio Greggi <ale_grey_91@hotmail.it>
 2022-06-20 18:02:19 +02:00
Vit Mojzis 2e1f70537b Improve label collection for mounts and devices 
Catch exception triggered by selabel_lookup when it encounters file
context definition containing "<<none>>"

Real label of given path may differ from what selable_lookup
(matchpathcon) returns. Udica should allow access to both.

Fixes:
        https://github.com/containers/udica/issues/98
        https://github.com/containers/udica/issues/109
 2022-04-29 16:15:06 +02:00
Vit Mojzis dd05dbe742 Make sure each section of the inspect exists before accessing 
Fixes: https://github.com/containers/udica/issues/105,
       https://github.com/containers/udica/issues/103

Inspired by:
0c56d98b8c

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
 2021-11-11 18:05:23 +01:00
Daniel J Walsh 4265ea8638
Merge pull request #102 from cevich/update_images 
Cirrus: Freshen VM images
 2021-09-15 13:10:23 -04:00
Chris Evich e6bbc0a8dd
Cirrus: Freshen VM images 
Signed-off-by: Chris Evich <cevich@redhat.com>
 2021-09-14 13:03:53 -04:00
Vit Mojzis 2a352551b7 udica-0.2.6 
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
 2021-09-13 16:36:48 +02:00
Vit Mojzis 2d70982a6f tests: Make sure policy templates are available 
- Download policy templates from container-selinux github if not present
  in the system
- Cirrus only installs container-selinux - this way github PRs are
  tested both with latest version of templates and with the released one
- Github workflow now needs git to clone container-selinux repo

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
 2021-09-13 16:29:13 +02:00
Vit Mojzis aa3561d4de Move policy templates to container-selinux repo 
Move udica policy templates to container-selinux package so that
administrators can deploy udica-generated policies on OpenShift nodes
without installing udica everywhere.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
 2021-09-13 16:21:41 +02:00