Merge pull request #180 from microsoft/archana1/azurefile-genpolicy

genpolicy: add support for cc-azurefile-csi driver

src/tools/genpolicy/genpolicy-settings.json

@@ -280,6 +280,10 @@
             "cc-local-csi",
             "cc-managed-csi",
             "cc-managed-premium-csi"
+        ],
+        "smb_storage_classes": [
+            "cc-azurefile-csi",
+            "cc-azurefile-premium-csi"
         ]
     },
     "kata_config": {

src/tools/genpolicy/rules.rego

@@ -769,17 +769,17 @@ mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) {
     print("mount_source_allows 3: i_mount.source=", i_mount.source)
 
     i_source_parts = split(i_mount.source, "/")
-    b64_pci_device_id = i_source_parts[count(i_source_parts) - 1]
+    b64_direct_vol_path = i_source_parts[count(i_source_parts) - 1]
 
-    base64.is_valid(b64_pci_device_id)
+    base64.is_valid(b64_direct_vol_path)
 
     source1 := p_mount.source
     print("mount_source_allows 3: source1 =", source1)
 
     source2 := replace(source1, "$(spath)", policy_data.common.spath)
     print("mount_source_allows 3: source2 =", source2)
 
-    source3 := replace(source2, "$(b64-pci-device-id)", b64_pci_device_id)
+    source3 := replace(source2, "$(b64-direct-vol-path)", b64_direct_vol_path)
     print("mount_source_allows 3: source3 =", source3)
 
     source3 == i_mount.source
@@ -907,6 +907,25 @@ allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) {
 
     print("allow_storage_options 3: true")
 }
+allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) {
+    print("allow_storage_options 4: start")
+
+    p_storage.driver == "smb"
+    count(i_storage.options) == 8
+    i_storage.options[0] == "dir_mode=0666"
+    i_storage.options[1] == "file_mode=0666"
+    i_storage.options[2] == "mfsymlinks"    
+    i_storage.options[3] == "cache=strict"  
+    i_storage.options[4] == "nosharesock"
+    i_storage.options[5] == "actimeo=30"    
+    startswith(i_storage.options[6], "addr=")
+    creds = split(i_storage.options[7], ",")
+    count(creds) == 2
+    startswith(creds[0], "username=")
+    startswith(creds[1], "password=")
+
+    print("allow_storage_options 4: true")
+}
 
 allow_overlay_layer(policy_id, policy_hash, i_option) {
     print("allow_overlay_layer: policy_id =", policy_id, "policy_hash =", policy_hash)
@@ -1002,23 +1021,34 @@ allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) {
 }
 allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id, layer_ids) {
     print("allow_mount_point 6: i_storage.mount_point =", i_storage.mount_point)
-    p_storage.driver == "blk"
+    allow_direct_vol_driver(p_storage, i_storage)
 
     mount1 := p_storage.mount_point
     print("allow_mount_point 6: mount1 =", mount1)
 
     mount2 := replace(mount1, "$(spath)", policy_data.common.spath)
     print("allow_mount_point 6: mount2 =", mount2)
 
-    pci_device_id := i_storage.source
-    mount3 := replace(mount2, "$(b64-pci-device-id)", base64url.encode(pci_device_id))
+    direct_vol_path := i_storage.source
+    mount3 := replace(mount2, "$(b64-direct-vol-path)", base64url.encode(direct_vol_path))
     print("allow_mount_point 6: mount3 =", mount3)
 
     mount3 == i_storage.mount_point
 
     print("allow_mount_point 6: true")
 }
 
+allow_direct_vol_driver(p_storage, i_storage) {
+    print("allow_direct_vol_driver 1: start")
+    p_storage.driver == "blk"
+    print("allow_direct_vol_driver 1: true")
+}
+allow_direct_vol_driver(p_storage, i_storage) {
+    print("allow_direct_vol_driver 2: start")
+    p_storage.driver == "smb"
+    print("allow_direct_vol_driver 2: true")
+}
+
 # process.Capabilities
 allow_caps(p_caps, i_caps) {
     print("allow_caps: policy Ambient =", p_caps.Ambient)

src/tools/genpolicy/src/mount_and_storage.rs

@@ -242,7 +242,18 @@ fn get_persistent_volume_claim_mount(
         .and_then(|pvc_resource| pvc_resource.spec.storageClassName.as_ref())
         .is_some_and(|sc| settings.common.virtio_blk_storage_classes.contains(sc));
 
-    handle_persistent_volume_claim(is_blk_mount, yaml_mount, p_mounts, storages, mount_options);
+    let is_smb_mount = pvc_resource
+        .and_then(|pvc_resource| pvc_resource.spec.storageClassName.as_ref())
+        .is_some_and(|sc| settings.common.smb_storage_classes.contains(sc));
+
+    handle_persistent_volume_claim(
+        is_blk_mount,
+        is_smb_mount,
+        yaml_mount,
+        p_mounts,
+        storages,
+        mount_options,
+    );
 }
 
 fn get_host_path_mount(
@@ -420,25 +431,41 @@ fn get_ephemeral_mount(
         .as_ref()
         .map(|sc| settings.common.virtio_blk_storage_classes.contains(sc))
         .unwrap_or(false);
+    let is_smb_mount = storage_class
+        .as_ref()
+        .map(|sc| settings.common.smb_storage_classes.contains(sc))
+        .unwrap_or(false);
 
-    handle_persistent_volume_claim(is_blk_mount, yaml_mount, p_mounts, storages, mount_options);
+    handle_persistent_volume_claim(
+        is_blk_mount,
+        is_smb_mount,
+        yaml_mount,
+        p_mounts,
+        storages,
+        mount_options,
+    );
 }
 
 fn handle_persistent_volume_claim(
     is_blk_mount: bool,
+    is_smb_mount: bool,
     yaml_mount: &pod::VolumeMount,
     p_mounts: &mut Vec<policy::KataMount>,
     storages: &mut Vec<agent::Storage>,
     mount_options: (&str, &str),
 ) {
-    if is_blk_mount {
-        let source = "$(spath)/$(b64-pci-device-id)".to_string();
+    if is_blk_mount || is_smb_mount {
+        let source = "$(spath)/$(b64-direct-vol-path)".to_string();
 
         storages.push(agent::Storage {
-            driver: "blk".to_string(),
+            driver: if is_blk_mount {
+                "blk".to_string()
+            } else {
+                "smb".to_string()
+            },
             driver_options: Vec::new(),
             fs_group: None,
-            source: "$(pci-device-id)".to_string(),
+            source: "$(direct-vol-path)".to_string(),
             mount_point: source.to_string(),
             fstype: "$(fs-type)".to_string(),
             options: Vec::new(),

src/tools/genpolicy/src/policy.rs

@@ -377,6 +377,9 @@ pub struct CommonData {
 
     /// Storage classes which mounts should be handled as virtio-blk devices.
     pub virtio_blk_storage_classes: Vec<String>,
+
+    /// Storage classes which mounts should be handled as smb mounts
+    pub smb_storage_classes: Vec<String>,
 }
 
 /// Struct used to read data from the settings file and copy that data into the policy.