microsoft.genpolicy: 3.2.0.azl3.genpolicy1 -> 3.2.0.azl3.genpolicy2

Signed-off-by: Paul Meyer <katexochen0@gmail.com>
edgelesssys · Jan 10, 2025 · 351df09 · 351df09
1 parent 7a785b4
commit 351df09
Show file tree

Hide file tree

Showing 7 changed files with 29 additions and 29 deletions.
diff --git a/...es/by-name/microsoft/genpolicy/0001-genpolicy-add-rules-and-types-for-volumeDevices.patch b/...es/by-name/microsoft/genpolicy/0001-genpolicy-add-rules-and-types-for-volumeDevices.patch
@@ -14,18 +14,18 @@ Signed-off-by: Markus Rudy <mr@edgeless.systems>
  6 files changed, 85 insertions(+)
 
 diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
-index a462c0692dabf796355ca14ee89e06ea45ff6c2b..fe872732cb83a6278a9413d2f0208c8917e0ba99 100644
+index a5208cf9d3b38edfe6ab777ce0bafb81bf3b84dc..aa0488ae2dffc63780967ca706ea2c8ffcfb1391 100644
 --- a/src/tools/genpolicy/rules.rego
 +++ b/src/tools/genpolicy/rules.rego
-@@ -58,6 +58,7 @@ CreateContainerRequest {
+@@ -62,6 +62,7 @@ CreateContainerRequest {
 
      i_oci := input.OCI
      i_storages := input.storages
 +    i_devices := input.devices
 
      # Check if any element from the policy_data.containers array allows the input request.
      some p_container in policy_data.containers
-@@ -81,6 +82,9 @@ CreateContainerRequest {
+@@ -85,6 +86,9 @@ CreateContainerRequest {
      p_storages := p_container.storages
      allow_by_anno(p_oci, i_oci, p_storages, i_storages)
 
@@ -35,7 +35,7 @@ index a462c0692dabf796355ca14ee89e06ea45ff6c2b..fe872732cb83a6278a9413d2f0208c89
      allow_linux(p_oci, i_oci)
 
      print("CreateContainerRequest: true")
-@@ -363,6 +367,16 @@ allow_log_directory(p_oci, i_oci) {
+@@ -361,6 +365,16 @@ allow_log_directory(p_oci, i_oci) {
      print("allow_log_directory: true")
  }
 
@@ -52,15 +52,15 @@ index a462c0692dabf796355ca14ee89e06ea45ff6c2b..fe872732cb83a6278a9413d2f0208c89
  allow_linux(p_oci, i_oci) {
      p_namespaces := p_oci.Linux.Namespaces
      print("allow_linux: p namespaces =", p_namespaces)
-@@ -374,6 +388,7 @@ allow_linux(p_oci, i_oci) {
+@@ -372,6 +386,7 @@ allow_linux(p_oci, i_oci) {
 
      allow_masked_paths(p_oci, i_oci)
      allow_readonly_paths(p_oci, i_oci)
 +    allow_linux_devices(p_oci.Linux.Devices, i_oci.Linux.Devices)
 
      print("allow_linux: true")
  }
-@@ -462,6 +477,13 @@ allow_readonly_path(p_elem, i_array, masked_paths) {
+@@ -460,6 +475,13 @@ allow_readonly_path(p_elem, i_array, masked_paths) {
      print("allow_readonly_path 2: true")
  }
 
@@ -139,7 +139,7 @@ index 16d633aa2b29eaa4f4f497fb4de306b51e05c8b7..cae93c53257ec8b2195974b14589cb55
  #[derive(Clone, Debug, Serialize, Deserialize)]
  struct ResourceRequirements {
 diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs
-index 012eb9add230268c6ee29395a91f85fc1ef3a4f0..b612bcc52ad59be4790accea5074418eb4d050a8 100644
+index 8528d84827139a89d056a717f2d868d9c9c9f5f8..ff06786ca8610a71059d469dac613750cc0c8623 100644
 --- a/src/tools/genpolicy/src/policy.rs
 +++ b/src/tools/genpolicy/src/policy.rs
 @@ -198,6 +198,10 @@ pub struct KataLinux {
@@ -182,7 +182,7 @@ index 012eb9add230268c6ee29395a91f85fc1ef3a4f0..b612bcc52ad59be4790accea5074418e
      /// Data compared with req.sandbox_pidns for CreateContainerRequest calls.
      sandbox_pidns: bool,
 
-@@ -595,6 +614,25 @@ impl AgentPolicy {
+@@ -601,6 +620,25 @@ impl AgentPolicy {
          };
          let exec_commands = yaml_container.get_exec_commands();
 
@@ -208,7 +208,7 @@ index 012eb9add230268c6ee29395a91f85fc1ef3a4f0..b612bcc52ad59be4790accea5074418e
          ContainerPolicy {
              OCI: KataSpec {
                  Version: version_default(),
-@@ -606,6 +644,7 @@ impl AgentPolicy {
+@@ -612,6 +650,7 @@ impl AgentPolicy {
                  Linux: linux,
              },
              storages,

diff --git a/...-name/microsoft/genpolicy/0002-genpolicy-add-ability-to-filter-for-runtimeClassName.patch b/...-name/microsoft/genpolicy/0002-genpolicy-add-ability-to-filter-for-runtimeClassName.patch
@@ -78,7 +78,7 @@ index cae93c53257ec8b2195974b14589cb5571d10623..45111763af659f7c86640779be95280e
          yaml::get_process_fields(process, &self.spec.securityContext);
      }
 diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs
-index b612bcc52ad59be4790accea5074418eb4d050a8..e749c5b1d56712a6bbed2e6b2df1ce0ff53df836 100644
+index ff06786ca8610a71059d469dac613750cc0c8623..b3c6557fd61be79e76110b99a6a7751dcc841602 100644
 --- a/src/tools/genpolicy/src/policy.rs
 +++ b/src/tools/genpolicy/src/policy.rs
 @@ -10,6 +10,7 @@ use crate::agent;
@@ -89,7 +89,7 @@ index b612bcc52ad59be4790accea5074418eb4d050a8..e749c5b1d56712a6bbed2e6b2df1ce0f
  use crate::pod;
  use crate::policy;
  use crate::pvc;
-@@ -441,6 +442,17 @@ impl AgentPolicy {
+@@ -447,6 +448,17 @@ impl AgentPolicy {
                  let yaml_string = serde_yaml::to_string(&doc_mapping)?;
                  let silent = config.silent_unsupported_fields;
                  let (mut resource, kind) = yaml::new_k8s_resource(&yaml_string, silent)?;

diff --git a/...-name/microsoft/genpolicy/0004-genpolicy-regex-check-contrast-specific-layer-src-pr.patch b/...-name/microsoft/genpolicy/0004-genpolicy-regex-check-contrast-specific-layer-src-pr.patch
@@ -9,10 +9,10 @@ Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
-index fe872732cb83a6278a9413d2f0208c8917e0ba99..9d6d2e7eed79cf14eb06a9cbf741466dd487f082 100644
+index aa0488ae2dffc63780967ca706ea2c8ffcfb1391..38171ac667d6084b085633aedf669ed381c10e22 100644
 --- a/src/tools/genpolicy/rules.rego
 +++ b/src/tools/genpolicy/rules.rego
-@@ -917,7 +917,7 @@ allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) {
+@@ -944,7 +944,7 @@ allow_storage_options(p_storage, i_storage, layer_ids, root_hashes) {
      i_count == p_count + 3
 
      print("allow_storage_options 2: i_storage.options[0] =", i_storage.options[0])

diff --git a/...-name/microsoft/genpolicy/0007-genpolicy-support-for-VOLUME-definition-in-container.patch b/...-name/microsoft/genpolicy/0007-genpolicy-support-for-VOLUME-definition-in-container.patch
@@ -21,7 +21,7 @@ Subject: [PATCH] genpolicy: support for VOLUME definition in container image
  14 files changed, 188 insertions(+), 98 deletions(-)
 
 diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json
-index 15bf78d93e3b07370cec924c4459b89caaaeb3ce..611fde8068b5880865327dd7097466c1fcce57cf 100644
+index 73d9c1125bbfeefce4bce24109f552db87860bca..ce3e90579266bf463d815b8f3a10fea21a97b044 100644
 --- a/src/tools/genpolicy/genpolicy-settings.json
 +++ b/src/tools/genpolicy/genpolicy-settings.json
 @@ -178,6 +178,18 @@

diff --git a/packages/by-name/microsoft/genpolicy/genpolicy_msft_settings_coordinator.patch b/packages/by-name/microsoft/genpolicy/genpolicy_msft_settings_coordinator.patch
@@ -1,13 +1,13 @@
 diff --git a/genpolicy-settings.json b/genpolicy-settings.json
-index fd998a41b..ba362a77d 100755
+index ce3e905792..b5ae14b575 100644
 --- a/genpolicy-settings.json
 +++ b/genpolicy-settings.json
-@@ -319,7 +319,8 @@
-                 "^AZURE_CLIENT_ID=[A-Fa-f0-9-]*$",
+@@ -332,7 +332,8 @@
                  "^AZURE_TENANT_ID=[A-Fa-f0-9-]*$",
                  "^AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token$",
--                "^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$"
-+                "^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$",
+                 "^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$",
+-                "^TERM=xterm$"
++                "^TERM=xterm$",
 +                "^CONTRAST_[A-Z0-9_]*=.*$"
              ]
          },

diff --git a/packages/by-name/microsoft/genpolicy/genpolicy_msft_settings_dev.patch b/packages/by-name/microsoft/genpolicy/genpolicy_msft_settings_dev.patch
@@ -1,24 +1,24 @@
 diff --git a/genpolicy-settings.json b/genpolicy-settings.json
-index fd998a41b..17d562c8a 100755
+index ce3e905792..9be069e51d 100644
 --- a/genpolicy-settings.json
 +++ b/genpolicy-settings.json
-@@ -319,7 +319,8 @@
-                 "^AZURE_CLIENT_ID=[A-Fa-f0-9-]*$",
+@@ -332,7 +332,8 @@
                  "^AZURE_TENANT_ID=[A-Fa-f0-9-]*$",
                  "^AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token$",
--                "^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$"
-+                "^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$",
+                 "^AZURE_AUTHORITY_HOST=https://login\\.microsoftonline\\.com/$",
+-                "^TERM=xterm$"
++                "^TERM=xterm$",
 +                "^CONTRAST_[A-Z0-9_]*=.*$"
              ]
          },
          "CopyFileRequest": [
-@@ -327,11 +328,13 @@
+@@ -340,11 +341,13 @@
          ],
          "ExecProcessRequest": {
              "commands": [],
 -            "regex": []
 +            "regex": [
-+              ".*"
++                ".*"
 +            ]
          },
          "CloseStdinRequest": false,

diff --git a/packages/by-name/microsoft/genpolicy/package.nix b/packages/by-name/microsoft/genpolicy/package.nix
@@ -17,14 +17,14 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "genpolicy";
-  version = "3.2.0.azl3.genpolicy1";
+  version = "3.2.0.azl3.genpolicy2";
 
   src = applyPatches {
     src = fetchFromGitHub {
       owner = "microsoft";
       repo = "kata-containers";
       rev = "refs/tags/${version}";
-      hash = "sha256-JNffqEbyDbjEjl5S06DoK3JhsXC3FJfoYCMjODoXC+0=";
+      hash = "sha256-kdXCwiDQSs9K70KCgvYjglQrU80PgjHFYXWPM/1+1/I=";
     };
 
     patches = [
@@ -76,7 +76,7 @@ rustPlatform.buildRustPackage rec {
 
   sourceRoot = "${src.name}/src/tools/genpolicy";
 
-  cargoHash = "sha256-9drLhOTHXxx68Su5jpOo+JtyWGUteXB9+bAFR31pq74=";
+  cargoHash = "sha256-/s8D6uHVU6iao6Jq/pyiK1inXPlousICoYaqbyzH/II=";
 
   OPENSSL_NO_VENDOR = 1;