Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Always set SECURITY_POLICY env var, even for open door policy. #1397

Merged
merged 3 commits into from
Jun 24, 2022
Merged

Always set SECURITY_POLICY env var, even for open door policy. #1397

merged 3 commits into from
Jun 24, 2022

Conversation

anmaxvl
Copy link
Contributor

@anmaxvl anmaxvl commented May 13, 2022
edited
Loading

Previously SECURITY_POLICY env var was set for container init process
only when StandardSecurityPolicyEnforcer was in use, however the
environment variable is useful even with OpenDoor enforcer.

Address this gap by updating enforcers and adding an accessor
method.

The SECURITY_POLICY environment variable will be set only when
the appropriate annotation says so:
"io.microsoft.virtualmachine.lcow.securitypolicy.env"

Signed-off-by: Maksim An maksiman@microsoft.com

@anmaxvl anmaxvl requested a review from a team as a code owner May 13, 2022 02:18
@anmaxvl anmaxvl force-pushed the security-policy-env branch 2 times, most recently from 45f78c2 to d79e3d2 Compare June 15, 2022 22:32
katiewasnothere
katiewasnothere approved these changes Jun 17, 2022
View reviewed changes
Copy link
Contributor

@katiewasnothere katiewasnothere left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Small nit otherwise LGTM

@anmaxvl
Always set SECURITY_POLICY env var, even for open door policy.
1b77be1 
Previously SECURITY_POLICY env var was set for container init process
only when StandardSecurityPolicyEnforcer was in use, however the
environment variable is useful even with OpenDoor enforcer.

Address this gap by updating enforcers and adding an accessor
method.

Signed-off-by: Maksim An <maksiman@microsoft.com>
@anmaxvl
Add annotation to set SECURITY_POLICY env for containers.
1598be8 
Update tests

Signed-off-by: Maksim An <maksiman@microsoft.com>
@anmaxvl
export oci.ParseAnnotationsBool
77eab4d 
Signed-off-by: Maksim An <maksiman@microsoft.com>
@SeanTAllen
Copy link
Contributor

@anmaxvl can we get this merged?

@anmaxvl anmaxvl merged commit 9d94ed9 into microsoft:master Jun 24, 2022
@anmaxvl anmaxvl deleted the security-policy-env branch June 24, 2022 17:10
kiashok pushed a commit to kiashok/hcsshim that referenced this pull request Jul 11, 2022
@anmaxvl
Always set SECURITY_POLICY env var, even for open door policy. (micro…
21b4060 
…soft#1397)

Previously SECURITY_POLICY env var was set for container init process
only when StandardSecurityPolicyEnforcer was in use, however the
environment variable is useful even with OpenDoor enforcer.

Address this gap by updating enforcers and adding an accessor
method.

Add annotation to set SECURITY_POLICY env for containers.

Export oci.ParseAnnotationsBool

Update tests

Signed-off-by: Maksim An <maksiman@microsoft.com>
anmaxvl added a commit that referenced this pull request Feb 7, 2023
@anmaxvl
Merged PR 6267886: Sync ADO with upstream hcsshim aa40057
ad8c261 
Last PR merged #1441

Related work items: #1397, #1407, #1422, #1424, #1426, #1427, #1429, #1434, #1435, #1436, #1438, #1440, #1441, #1442
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@katiewasnothere katiewasnothere katiewasnothere approved these changes

@helsaawy helsaawy helsaawy approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@anmaxvl @SeanTAllen @katiewasnothere @helsaawy