Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

enforcement: fix use case when the same target has different hashes #1469

Merged
merged 2 commits into from
Aug 8, 2022
Merged

enforcement: fix use case when the same target has different hashes #1469

merged 2 commits into from
Aug 8, 2022

Conversation

anmaxvl
Copy link
Contributor

@anmaxvl anmaxvl commented Jul 27, 2022
edited
Loading

Fix an issue when the same mount target could have different hashes
during device mount policy enforcement.
Although it's possible to mount different devices at the same mount
location, this doesn't make sense for read-only container layers.
The device mount enforcement logic has been updated to cover this
case.
This was discovered by randomized security policy unit tests.

The tests have been updated, to minimize the chance of it happening
by adding a minimal length for a random string and appropriate unit
test has been added to cover the change.

Signed-off-by: Maksim An maksiman@microsoft.com

@anmaxvl anmaxvl requested a review from a team as a code owner July 27, 2022 01:05
@anmaxvl anmaxvl force-pushed the fix-device-mount-enforcement branch from 8d7e712 to 9e133fa Compare July 27, 2022 16:52
@anmaxvl
Copy link
Contributor Author

anmaxvl commented Jul 27, 2022

moved github CI enablement for security policy unit tests into a separate PR: #1470

@anmaxvl anmaxvl force-pushed the fix-device-mount-enforcement branch from 9e133fa to 0566ad8 Compare July 28, 2022 07:32
dcantah
dcantah approved these changes Aug 3, 2022
View reviewed changes
Copy link
Contributor

@dcantah dcantah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dcantah
Copy link
Contributor

dcantah commented Aug 3, 2022

CI failure is because some hostprocess tests in containerd can't find powershell in their path, this fixes things #1473, but also without this fix the CI in my change is exceedingly flaky for the security policy test 🤣.

@dcantah
Copy link
Contributor

dcantah commented Aug 3, 2022

Okay #1473 was merged, rebase should fix the CI

@anmaxvl
enforcement: fix use case when the same target has different hashes
3b3ee35 
Fix an issue when the same mount target could have different hashes
during device mount policy enforcement.
Although it's possible to mount different devices at the same mount
location, this doesn't make sense for read-only container layers.
The device mount enforcement logic has been updated to cover this
case.
This was discovered by randomized security policy unit tests.

The tests have been updated, to minimize the chance of it happening
by adding a minimal length for a random string and appropriate unit
test has been added to cover the change.

Signed-off-by: Maksim An <maksiman@microsoft.com>
@anmaxvl
pr feedback: t.Logf policy and fix seeding
74bef8d 
Signed-off-by: Maksim An <maksiman@microsoft.com>
@anmaxvl anmaxvl force-pushed the fix-device-mount-enforcement branch from 5999711 to 74bef8d Compare August 4, 2022 01:17
@anmaxvl anmaxvl merged commit ba4bfca into microsoft:master Aug 8, 2022
@anmaxvl anmaxvl deleted the fix-device-mount-enforcement branch August 8, 2022 18:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dcantah dcantah dcantah approved these changes

@helsaawy helsaawy helsaawy approved these changes

Assignees

@dcantah dcantah

@helsaawy helsaawy

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@anmaxvl @dcantah @helsaawy