-
Notifications
You must be signed in to change notification settings - Fork 249
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
enforcement: fix use case when the same target has different hashes #1469
enforcement: fix use case when the same target has different hashes #1469
Conversation
8d7e712
to
9e133fa
Compare
moved github CI enablement for security policy unit tests into a separate PR: #1470 |
9e133fa
to
0566ad8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
CI failure is because some hostprocess tests in containerd can't find powershell in their path, this fixes things #1473, but also without this fix the CI in my change is exceedingly flaky for the security policy test 🤣. |
Okay #1473 was merged, rebase should fix the CI |
Fix an issue when the same mount target could have different hashes during device mount policy enforcement. Although it's possible to mount different devices at the same mount location, this doesn't make sense for read-only container layers. The device mount enforcement logic has been updated to cover this case. This was discovered by randomized security policy unit tests. The tests have been updated, to minimize the chance of it happening by adding a minimal length for a random string and appropriate unit test has been added to cover the change. Signed-off-by: Maksim An <maksiman@microsoft.com>
Signed-off-by: Maksim An <maksiman@microsoft.com>
5999711
to
74bef8d
Compare
Fix an issue when the same mount target could have different hashes
during device mount policy enforcement.
Although it's possible to mount different devices at the same mount
location, this doesn't make sense for read-only container layers.
The device mount enforcement logic has been updated to cover this
case.
This was discovered by randomized security policy unit tests.
The tests have been updated, to minimize the chance of it happening
by adding a minimal length for a random string and appropriate unit
test has been added to cover the change.
Signed-off-by: Maksim An maksiman@microsoft.com