genpolicy: add support for runAsUser

Add policy support for SecurityContext and PodSecurityContext
runAsUser.

Also, remove outdated UID rule workaround.

Fixes: kata-containers#8879

Signed-off-by: Dan Mihai <dmihai@microsoft.com>

src/tools/genpolicy/rules.rego

@@ -468,11 +468,8 @@ allow_user(p_process, i_process) {
     p_user := p_process.User
     i_user := i_process.User
 
-    # TODO: track down the reason for mcr.microsoft.com/oss/bitnami/redis:6.0.8 being
-    #       executed with uid = 0 despite having "User": "1001" in its container image
-    #       config.
-    #print("allow_user: input uid =", i_user.UID, "policy uid =", p_user.UID)
-    #p_user.UID == i_user.UID
+    print("allow_user: input uid =", i_user.UID, "policy uid =", p_user.UID)
+    p_user.UID == i_user.UID
 
     # TODO: track down the reason for registry.k8s.io/pause:3.9 being
     #       executed with gid = 0 despite having "65535:65535" in its container image

src/tools/genpolicy/src/containerd.rs

@@ -32,7 +32,7 @@ pub fn get_process(privileged_container: bool, common: &policy::CommonData) -> p
         Env: Vec::new(),
         Cwd: "/".to_string(),
         Capabilities: capabilities,
-        NoNewPrivileges: true,
+        NoNewPrivileges: false,
     }
 }
 

src/tools/genpolicy/src/pod.rs

@@ -88,6 +88,9 @@ pub struct PodSpec {
 
     #[serde(skip_serializing_if = "Option::is_none")]
     topologySpreadConstraints: Option<Vec<TopologySpreadConstraint>>,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    securityContext: Option<PodSecurityContext>,
 }
 
 /// See Reference / Kubernetes API / Workload Resources / Pod.
@@ -224,7 +227,7 @@ struct Probe {
 
     #[serde(skip_serializing_if = "Option::is_none")]
     tcpSocket: Option<TCPSocketAction>,
-    // TODO: additional fiels.
+    // TODO: additional fields.
 }
 
 /// See Reference / Kubernetes API / Workload Resources / Pod.
@@ -252,7 +255,7 @@ struct HTTPGetAction {
 
     #[serde(skip_serializing_if = "Option::is_none")]
     httpHeaders: Option<Vec<HTTPHeader>>,
-    // TODO: additional fiels.
+    // TODO: additional fields.
 }
 
 /// See Reference / Kubernetes API / Workload Resources / Pod.
@@ -281,6 +284,14 @@ struct SecurityContext {
     runAsUser: Option<i64>,
 }
 
+/// See Reference / Kubernetes API / Workload Resources / Pod.
+#[derive(Clone, Debug, Serialize, Deserialize)]
+struct PodSecurityContext {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    runAsUser: Option<i64>,
+    // TODO: additional fields.
+}
+
 /// See Reference / Kubernetes API / Workload Resources / Pod.
 #[derive(Clone, Debug, Serialize, Deserialize)]
 struct Lifecycle {
@@ -296,7 +307,7 @@ struct Lifecycle {
 struct LifecycleHandler {
     #[serde(skip_serializing_if = "Option::is_none")]
     exec: Option<ExecAction>,
-    // TODO: additional fiels.
+    // TODO: additional fields.
 }
 
 /// See Reference / Kubernetes API / Workload Resources / Pod.
@@ -585,15 +596,6 @@ impl Container {
         false
     }
 
-    pub fn allow_privilege_escalation(&self) -> bool {
-        if let Some(context) = &self.securityContext {
-            if let Some(allow) = context.allowPrivilegeEscalation {
-                return allow;
-            }
-        }
-        true
-    }
-
     pub fn read_only_root_filesystem(&self) -> bool {
         if let Some(context) = &self.securityContext {
             if let Some(read_only) = context.readOnlyRootFilesystem {
@@ -849,6 +851,14 @@ impl yaml::K8sResource for Pod {
         }
         false
     }
+
+    fn get_process_fields(&self, process: &mut policy::KataProcess) {
+        if let Some(context) = &self.spec.securityContext {
+            if let Some(uid) = context.runAsUser {
+                process.User.UID = uid.try_into().unwrap();
+            }
+        }
+    }
 }
 
 impl Container {
@@ -896,6 +906,17 @@ impl Container {
         }
         compress_default_capabilities(capabilities, defaults);
     }
+
+    pub fn get_process_fields(&self, process: &mut policy::KataProcess) {
+        if let Some(context) = &self.securityContext {
+            if let Some(uid) = context.runAsUser {
+                process.User.UID = uid.try_into().unwrap();
+            }
+            if let Some(allow) = context.allowPrivilegeEscalation {
+                process.NoNewPrivileges = !allow
+            }
+        }
+    }
 }
 
 fn compress_default_capabilities(

src/tools/genpolicy/src/policy.rs

@@ -606,8 +606,10 @@ impl AgentPolicy {
 
         substitute_env_variables(&mut process.Env);
         substitute_args_env_variables(&mut process.Args, &process.Env);
+
         c_settings.get_process_fields(&mut process);
-        process.NoNewPrivileges = !yaml_container.allow_privilege_escalation();
+        resource.get_process_fields(&mut process);
+        yaml_container.get_process_fields(&mut process);
 
         process
     }

src/tools/genpolicy/src/yaml.rs

@@ -66,6 +66,10 @@ pub trait K8sResource {
     fn get_annotations(&self) -> &Option<BTreeMap<String, String>>;
     fn use_host_network(&self) -> bool;
     fn use_sandbox_pidns(&self) -> bool;
+    fn get_process_fields(&self, _process: &mut policy::KataProcess) {
+        // Just Pods can have a PodSecurityContext field, so the other
+        // resources can use this default get_process_fields implementation.
+    }
 }
 
 /// See Reference / Kubernetes API / Common Definitions / LabelSelector.