From 5e0609b1fe8fd5efbfbcbc7440d953d47998b38b Mon Sep 17 00:00:00 2001 From: Vit Mojzis Date: Wed, 29 Nov 2023 12:36:32 +0100 Subject: [PATCH] udica-0.2.8 New release https://github.com/containers/udica/releases/tag/v0.2.8 --- .gitignore | 1 + 0001-Add-device-access-option.patch | 49 --- 0002-Syntax-changes-after-running-black.patch | 47 --- 0003-Add-unit-test-for-device-access.patch | 294 ------------------ 0004-Rename-device-access-to-devices.patch | 101 ------ 0005-Show-diff-when-checking-formatting.patch | 29 -- 0006-Fix-several-lint-findings.patch | 38 --- ...ix-generating-policy-for-Crio-mounts.patch | 116 ------- sources | 2 +- udica.spec | 14 +- 10 files changed, 7 insertions(+), 684 deletions(-) delete mode 100644 0001-Add-device-access-option.patch delete mode 100644 0002-Syntax-changes-after-running-black.patch delete mode 100644 0003-Add-unit-test-for-device-access.patch delete mode 100644 0004-Rename-device-access-to-devices.patch delete mode 100644 0005-Show-diff-when-checking-formatting.patch delete mode 100644 0006-Fix-several-lint-findings.patch delete mode 100644 0007-Fix-generating-policy-for-Crio-mounts.patch diff --git a/.gitignore b/.gitignore index 8b13f70..d3d498c 100644 --- a/.gitignore +++ b/.gitignore @@ -15,3 +15,4 @@ /v0.2.5.tar.gz /v0.2.6.tar.gz /v0.2.7.tar.gz +/v0.2.8.tar.gz diff --git a/0001-Add-device-access-option.patch b/0001-Add-device-access-option.patch deleted file mode 100644 index 935f636..0000000 --- a/0001-Add-device-access-option.patch +++ /dev/null @@ -1,49 +0,0 @@ -From a72b8fffc82657de85d20b3c9191d24a0b41e612 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Martin=20Sk=C3=B8tt?= -Date: Thu, 11 Aug 2022 14:20:14 +0200 -Subject: [PATCH] Add ---device--access option -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Signed-off-by: Martin Skøtt ---- - udica/__main__.py | 8 ++++++++ - udica/policy.py | 2 ++ - 2 files changed, 10 insertions(+) - -diff --git a/udica/__main__.py b/udica/__main__.py -index d72a4b4..9cb276d 100644 ---- a/udica/__main__.py -+++ b/udica/__main__.py -@@ -127,6 +127,14 @@ def get_args(): - required=False, - default="-", - ) -+ parser.add_argument( -+ "--device-access", -+ help='List of devices the container should have access to, e.g "--device-access /dev/dri/card0,/dev/dri/renderD128"', -+ required=False, -+ default=None, -+ type=str, -+ dest='DeviceAccess' -+ ) - args = parser.parse_args() - return vars(args) - -diff --git a/udica/policy.py b/udica/policy.py -index ec6ce20..0f1145a 100644 ---- a/udica/policy.py -+++ b/udica/policy.py -@@ -173,6 +173,8 @@ def create_policy( - # devices - # Not applicable for CRI-O container engine - if inspect_format != "CRI-0": -+ if (not devices and opts["DeviceAccess"]): -+ devices = [{"PathOnHost": device} for device in opts["DeviceAccess"].split(',')] - write_policy_for_podman_devices(devices, policy) - - # mounts --- -2.37.3 - diff --git a/0002-Syntax-changes-after-running-black.patch b/0002-Syntax-changes-after-running-black.patch deleted file mode 100644 index 7d8e08d..0000000 --- a/0002-Syntax-changes-after-running-black.patch +++ /dev/null @@ -1,47 +0,0 @@ -From a2f0e4588e010e9df9da7bbd46fa4304335f9b25 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Martin=20Sk=C3=B8tt?= -Date: Thu, 11 Aug 2022 20:29:18 +0200 -Subject: [PATCH] Syntax changes after running black -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Signed-off-by: Martin Skøtt ---- - udica/__main__.py | 2 +- - udica/policy.py | 6 ++++-- - 2 files changed, 5 insertions(+), 3 deletions(-) - -diff --git a/udica/__main__.py b/udica/__main__.py -index 9cb276d..84e0ba4 100644 ---- a/udica/__main__.py -+++ b/udica/__main__.py -@@ -133,7 +133,7 @@ def get_args(): - required=False, - default=None, - type=str, -- dest='DeviceAccess' -+ dest="DeviceAccess", - ) - args = parser.parse_args() - return vars(args) -diff --git a/udica/policy.py b/udica/policy.py -index 0f1145a..9b7a14f 100644 ---- a/udica/policy.py -+++ b/udica/policy.py -@@ -173,8 +173,10 @@ def create_policy( - # devices - # Not applicable for CRI-O container engine - if inspect_format != "CRI-0": -- if (not devices and opts["DeviceAccess"]): -- devices = [{"PathOnHost": device} for device in opts["DeviceAccess"].split(',')] -+ if not devices and opts["DeviceAccess"]: -+ devices = [ -+ {"PathOnHost": device} for device in opts["DeviceAccess"].split(",") -+ ] - write_policy_for_podman_devices(devices, policy) - - # mounts --- -2.37.3 - diff --git a/0003-Add-unit-test-for-device-access.patch b/0003-Add-unit-test-for-device-access.patch deleted file mode 100644 index 37e4a1c..0000000 --- a/0003-Add-unit-test-for-device-access.patch +++ /dev/null @@ -1,294 +0,0 @@ -From 0d3e3194e26a21c531d13bde5e45c0bce9717a99 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Martin=20Sk=C3=B8tt?= -Date: Thu, 11 Aug 2022 21:50:57 +0200 -Subject: [PATCH] Add unit test for --device-access -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Signed-off-by: Martin Skøtt ---- - tests/test_device_access.podman.json | 244 +++++++++++++++++++++++++++ - tests/test_main.py | 15 ++ - 2 files changed, 259 insertions(+) - create mode 100644 tests/test_device_access.podman.json - -diff --git a/tests/test_device_access.podman.json b/tests/test_device_access.podman.json -new file mode 100644 -index 0000000..9a806a2 ---- /dev/null -+++ b/tests/test_device_access.podman.json -@@ -0,0 +1,244 @@ -+[ -+ { -+ "Id": "68485406c4bbfd2b379beac7d80834a4ca94d7e74ada5019c7499afed62e1744", -+ "Created": "2022-08-11T20:54:51.026287311+02:00", -+ "Path": "/bin/bash", -+ "Args": [ -+ "/bin/bash" -+ ], -+ "State": { -+ "OciVersion": "1.0.2-dev", -+ "Status": "exited", -+ "Running": false, -+ "Paused": false, -+ "Restarting": false, -+ "OOMKilled": false, -+ "Dead": false, -+ "Pid": 0, -+ "ExitCode": 0, -+ "Error": "", -+ "StartedAt": "2022-08-11T20:54:51.116938836+02:00", -+ "FinishedAt": "2022-08-11T20:54:51.1327839+02:00", -+ "Health": { -+ "Status": "", -+ "FailingStreak": 0, -+ "Log": null -+ }, -+ "CheckpointedAt": "0001-01-01T00:00:00Z", -+ "RestoredAt": "0001-01-01T00:00:00Z" -+ }, -+ "Image": "2ecb6df959942dd2fdeb65606ca2e42a54f8c06af10eeb594fdfc3e2656c53d1", -+ "ImageName": "registry.fedoraproject.org/fedora:latest", -+ "Rootfs": "", -+ "Pod": "", -+ "ResolvConfPath": "/run/user/1000/overlay-containers/68485406c4bbfd2b379beac7d80834a4ca94d7e74ada5019c7499afed62e1744/userdata/resolv.conf", -+ "HostnamePath": "/run/user/1000/overlay-containers/68485406c4bbfd2b379beac7d80834a4ca94d7e74ada5019c7499afed62e1744/userdata/hostname", -+ "HostsPath": "/run/user/1000/overlay-containers/68485406c4bbfd2b379beac7d80834a4ca94d7e74ada5019c7499afed62e1744/userdata/hosts", -+ "StaticDir": "/home/martin/.local/share/containers/storage/overlay-containers/68485406c4bbfd2b379beac7d80834a4ca94d7e74ada5019c7499afed62e1744/userdata", -+ "OCIConfigPath": "/home/martin/.local/share/containers/storage/overlay-containers/68485406c4bbfd2b379beac7d80834a4ca94d7e74ada5019c7499afed62e1744/userdata/config.json", -+ "OCIRuntime": "crun", -+ "ConmonPidFile": "/run/user/1000/overlay-containers/68485406c4bbfd2b379beac7d80834a4ca94d7e74ada5019c7499afed62e1744/userdata/conmon.pid", -+ "PidFile": "/run/user/1000/overlay-containers/68485406c4bbfd2b379beac7d80834a4ca94d7e74ada5019c7499afed62e1744/userdata/pidfile", -+ "Name": "charming_khorana", -+ "RestartCount": 0, -+ "Driver": "overlay", -+ "MountLabel": "system_u:object_r:container_file_t:s0:c8,c574", -+ "ProcessLabel": "system_u:system_r:container_t:s0:c8,c574", -+ "AppArmorProfile": "", -+ "EffectiveCaps": [ -+ "CAP_CHOWN", -+ "CAP_DAC_OVERRIDE", -+ "CAP_FOWNER", -+ "CAP_FSETID", -+ "CAP_KILL", -+ "CAP_NET_BIND_SERVICE", -+ "CAP_SETFCAP", -+ "CAP_SETGID", -+ "CAP_SETPCAP", -+ "CAP_SETUID", -+ "CAP_SYS_CHROOT" -+ ], -+ "BoundingCaps": [ -+ "CAP_CHOWN", -+ "CAP_DAC_OVERRIDE", -+ "CAP_FOWNER", -+ "CAP_FSETID", -+ "CAP_KILL", -+ "CAP_NET_BIND_SERVICE", -+ "CAP_SETFCAP", -+ "CAP_SETGID", -+ "CAP_SETPCAP", -+ "CAP_SETUID", -+ "CAP_SYS_CHROOT" -+ ], -+ "ExecIDs": [], -+ "GraphDriver": { -+ "Name": "overlay", -+ "Data": { -+ "LowerDir": "/home/martin/.local/share/containers/storage/overlay/1da06ca5080c2ce2499e2f9802259209c7dd85c92d64852c3165425cdc18c443/diff", -+ "UpperDir": "/home/martin/.local/share/containers/storage/overlay/98294044df8fadc428b8a41befc0c83d574601b56076c62ce7fa93df6c48f8dc/diff", -+ "WorkDir": "/home/martin/.local/share/containers/storage/overlay/98294044df8fadc428b8a41befc0c83d574601b56076c62ce7fa93df6c48f8dc/work" -+ } -+ }, -+ "Mounts": [], -+ "Dependencies": [], -+ "NetworkSettings": { -+ "EndpointID": "", -+ "Gateway": "", -+ "IPAddress": "", -+ "IPPrefixLen": 0, -+ "IPv6Gateway": "", -+ "GlobalIPv6Address": "", -+ "GlobalIPv6PrefixLen": 0, -+ "MacAddress": "", -+ "Bridge": "", -+ "SandboxID": "", -+ "HairpinMode": false, -+ "LinkLocalIPv6Address": "", -+ "LinkLocalIPv6PrefixLen": 0, -+ "Ports": {}, -+ "SandboxKey": "" -+ }, -+ "Namespace": "", -+ "IsInfra": false, -+ "Config": { -+ "Hostname": "68485406c4bb", -+ "Domainname": "", -+ "User": "", -+ "AttachStdin": false, -+ "AttachStdout": false, -+ "AttachStderr": false, -+ "Tty": false, -+ "OpenStdin": false, -+ "StdinOnce": false, -+ "Env": [ -+ "FGC=f36", -+ "DISTTAG=f36container", -+ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", -+ "TERM=xterm", -+ "container=oci", -+ "HOME=/root", -+ "HOSTNAME=68485406c4bb" -+ ], -+ "Cmd": [ -+ "/bin/bash" -+ ], -+ "Image": "registry.fedoraproject.org/fedora:latest", -+ "Volumes": null, -+ "WorkingDir": "/", -+ "Entrypoint": "", -+ "OnBuild": null, -+ "Labels": { -+ "license": "MIT", -+ "name": "fedora", -+ "vendor": "Fedora Project", -+ "version": "36" -+ }, -+ "Annotations": { -+ "io.container.manager": "libpod", -+ "io.kubernetes.cri-o.Created": "2022-08-11T20:54:51.026287311+02:00", -+ "io.kubernetes.cri-o.TTY": "false", -+ "io.podman.annotations.autoremove": "FALSE", -+ "io.podman.annotations.init": "FALSE", -+ "io.podman.annotations.privileged": "FALSE", -+ "io.podman.annotations.publish-all": "FALSE", -+ "org.opencontainers.image.stopSignal": "15" -+ }, -+ "StopSignal": 15, -+ "CreateCommand": [ -+ "podman", -+ "run", -+ "--device", -+ "/dev/fb0", -+ "fedora" -+ ], -+ "Umask": "0022", -+ "Timeout": 0, -+ "StopTimeout": 10, -+ "Passwd": true -+ }, -+ "HostConfig": { -+ "Binds": [], -+ "CgroupManager": "systemd", -+ "CgroupMode": "private", -+ "ContainerIDFile": "", -+ "LogConfig": { -+ "Type": "journald", -+ "Config": null, -+ "Path": "", -+ "Tag": "", -+ "Size": "0B" -+ }, -+ "NetworkMode": "slirp4netns", -+ "PortBindings": {}, -+ "RestartPolicy": { -+ "Name": "", -+ "MaximumRetryCount": 0 -+ }, -+ "AutoRemove": false, -+ "VolumeDriver": "", -+ "VolumesFrom": null, -+ "CapAdd": [], -+ "CapDrop": [ -+ "CAP_AUDIT_WRITE", -+ "CAP_MKNOD", -+ "CAP_NET_RAW" -+ ], -+ "Dns": [], -+ "DnsOptions": [], -+ "DnsSearch": [], -+ "ExtraHosts": [], -+ "GroupAdd": [], -+ "IpcMode": "shareable", -+ "Cgroup": "", -+ "Cgroups": "default", -+ "Links": null, -+ "OomScoreAdj": 0, -+ "PidMode": "private", -+ "Privileged": false, -+ "PublishAllPorts": false, -+ "ReadonlyRootfs": false, -+ "SecurityOpt": [], -+ "Tmpfs": {}, -+ "UTSMode": "private", -+ "UsernsMode": "", -+ "ShmSize": 65536000, -+ "Runtime": "oci", -+ "ConsoleSize": [ -+ 0, -+ 0 -+ ], -+ "Isolation": "", -+ "CpuShares": 0, -+ "Memory": 0, -+ "NanoCpus": 0, -+ "CgroupParent": "user.slice", -+ "BlkioWeight": 0, -+ "BlkioWeightDevice": null, -+ "BlkioDeviceReadBps": null, -+ "BlkioDeviceWriteBps": null, -+ "BlkioDeviceReadIOps": null, -+ "BlkioDeviceWriteIOps": null, -+ "CpuPeriod": 0, -+ "CpuQuota": 0, -+ "CpuRealtimePeriod": 0, -+ "CpuRealtimeRuntime": 0, -+ "CpusetCpus": "", -+ "CpusetMems": "", -+ "Devices": [], -+ "DiskQuota": 0, -+ "KernelMemory": 0, -+ "MemoryReservation": 0, -+ "MemorySwap": 0, -+ "MemorySwappiness": 0, -+ "OomKillDisable": false, -+ "PidsLimit": 2048, -+ "Ulimits": [], -+ "CpuCount": 0, -+ "CpuPercent": 0, -+ "IOMaximumIOps": 0, -+ "IOMaximumBandwidth": 0, -+ "CgroupConf": null -+ } -+ } -+] -diff --git a/tests/test_main.py b/tests/test_main.py -index 6b30dc4..bc17cc2 100644 ---- a/tests/test_main.py -+++ b/tests/test_main.py -@@ -354,6 +354,21 @@ class TestBase(unittest.TestCase): - self.assert_templates(output, ["base_container"]) - self.assert_policy(test_file("test_devices.podman.cil")) - -+ def test_device_access_podman(self): -+ """podman run --device /dev/fb0 fedora""" -+ output = self.run_udica( -+ [ -+ "udica", -+ "-j", -+ "tests/test_devices.podman.json", -+ "--device-access", -+ "/dev/fd0", -+ "my_container", -+ ] -+ ) -+ self.assert_templates(output, ["base_container"]) -+ self.assert_policy(test_file("test_devices.podman.cil")) -+ - def run_udica(self, args): - with patch("sys.argv", args): - with patch("sys.stderr.write") as mock_err, patch( --- -2.37.3 - diff --git a/0004-Rename-device-access-to-devices.patch b/0004-Rename-device-access-to-devices.patch deleted file mode 100644 index efd9a0f..0000000 --- a/0004-Rename-device-access-to-devices.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 34c0f137583001c5b7b0f8bf681b027aeff109cb Mon Sep 17 00:00:00 2001 -From: Vit Mojzis -Date: Wed, 19 Oct 2022 16:34:46 +0200 -Subject: [PATCH] Rename --device-access to --devices - -This makes parameters more consistent. -Also, describe the new parameter in man page. - -Signed-off-by: Vit Mojzis ---- - tests/test_main.py | 4 ++-- - udica/__main__.py | 16 ++++++++-------- - udica/man/man8/udica.8 | 5 +++++ - udica/policy.py | 6 ++---- - 4 files changed, 17 insertions(+), 14 deletions(-) - -diff --git a/tests/test_main.py b/tests/test_main.py -index bc17cc2..f32588b 100644 ---- a/tests/test_main.py -+++ b/tests/test_main.py -@@ -361,8 +361,8 @@ class TestBase(unittest.TestCase): - "udica", - "-j", - "tests/test_devices.podman.json", -- "--device-access", -- "/dev/fd0", -+ "--devices", -+ "/dev/fb0", - "my_container", - ] - ) -diff --git a/udica/__main__.py b/udica/__main__.py -index 84e0ba4..103ddc2 100644 ---- a/udica/__main__.py -+++ b/udica/__main__.py -@@ -99,6 +99,14 @@ def get_args(): - dest="Caps", - default=None, - ) -+ parser.add_argument( -+ "--devices", -+ type=str, -+ help='List of devices the container should have access to, e.g "--devices /dev/dri/card0,/dev/dri/renderD128"', -+ dest="Devices", -+ required=False, -+ default=None, -+ ) - parser.add_argument( - "-d", - "--ansible", -@@ -127,14 +135,6 @@ def get_args(): - required=False, - default="-", - ) -- parser.add_argument( -- "--device-access", -- help='List of devices the container should have access to, e.g "--device-access /dev/dri/card0,/dev/dri/renderD128"', -- required=False, -- default=None, -- type=str, -- dest="DeviceAccess", -- ) - args = parser.parse_args() - return vars(args) - -diff --git a/udica/man/man8/udica.8 b/udica/man/man8/udica.8 -index 8c3a48e..c7158ff 100644 ---- a/udica/man/man8/udica.8 -+++ b/udica/man/man8/udica.8 -@@ -53,6 +53,11 @@ Load templates and module created by this tool - List of capabilities, for example: "\-c AUDIT\_WRITE,CHOWN,DAC\_OVERRIDE,FOWNER,FSETID,KILL" - (mandatory to use for Docker Engine, see the BUGS section) - -+.TP -+.I \-\-devices DEVS -+List of devices the container should have access to, e.g "\-\-devices /dev/dri/card0,/dev/dri/renderD128" -+(overrides devices specified in the conatiner JSON) -+ - .TP - .I \-a, \-\-append-rules FILE - Append more SELinux allow rules generated from SELinux denials in audit daemon. -diff --git a/udica/policy.py b/udica/policy.py -index 9b7a14f..9069c97 100644 ---- a/udica/policy.py -+++ b/udica/policy.py -@@ -173,10 +173,8 @@ def create_policy( - # devices - # Not applicable for CRI-O container engine - if inspect_format != "CRI-0": -- if not devices and opts["DeviceAccess"]: -- devices = [ -- {"PathOnHost": device} for device in opts["DeviceAccess"].split(",") -- ] -+ if opts["Devices"]: -+ devices = [{"PathOnHost": device} for device in opts["Devices"].split(",")] - write_policy_for_podman_devices(devices, policy) - - # mounts --- -2.37.3 - diff --git a/0005-Show-diff-when-checking-formatting.patch b/0005-Show-diff-when-checking-formatting.patch deleted file mode 100644 index 479a34d..0000000 --- a/0005-Show-diff-when-checking-formatting.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 07ff36fd09cb20196691a80b5dc1e544b64f12f3 Mon Sep 17 00:00:00 2001 -From: Chris Evich -Date: Wed, 29 Mar 2023 15:25:49 -0400 -Subject: [PATCH] Show diff when checking formatting - -Otherwise, all you get in CI is a failure notice w/o any indication as -to why. - -Signed-off-by: Chris Evich ---- - Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Makefile b/Makefile -index 2b2eda9..4d3b55e 100644 ---- a/Makefile -+++ b/Makefile -@@ -16,7 +16,7 @@ format: - - .PHONY: - format-check: -- black --check *.py udica/*.py tests/*.py -+ black --check --diff *.py udica/*.py tests/*.py - - .PHONY: test - test: lint format-check --- -2.37.3 - diff --git a/0006-Fix-several-lint-findings.patch b/0006-Fix-several-lint-findings.patch deleted file mode 100644 index 44940d0..0000000 --- a/0006-Fix-several-lint-findings.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 5d6feb3a6c900d119732a20145352b2459fafcde Mon Sep 17 00:00:00 2001 -From: Chris Evich -Date: Wed, 29 Mar 2023 15:34:13 -0400 -Subject: [PATCH] Fix several lint findings - -Signed-off-by: Chris Evich ---- - udica/__main__.py | 1 - - udica/policy.py | 1 - - 2 files changed, 2 deletions(-) - -diff --git a/udica/__main__.py b/udica/__main__.py -index 103ddc2..43d2e43 100644 ---- a/udica/__main__.py -+++ b/udica/__main__.py -@@ -140,7 +140,6 @@ def get_args(): - - - def main(): -- - opts = get_args() - - if opts["ContainerID"]: -diff --git a/udica/policy.py b/udica/policy.py -index 9069c97..e32b077 100644 ---- a/udica/policy.py -+++ b/udica/policy.py -@@ -88,7 +88,6 @@ def list_contexts(directory): - - - def list_ports(port_number, port_proto): -- - handle = semanage.semanage_handle_create() - semanage.semanage_connect(handle) - --- -2.37.3 - diff --git a/0007-Fix-generating-policy-for-Crio-mounts.patch b/0007-Fix-generating-policy-for-Crio-mounts.patch deleted file mode 100644 index 1e3a275..0000000 --- a/0007-Fix-generating-policy-for-Crio-mounts.patch +++ /dev/null @@ -1,116 +0,0 @@ -From 6a7382bead93a1777370e4bf37f545a22f3bfb4c Mon Sep 17 00:00:00 2001 -From: Vit Mojzis -Date: Tue, 11 Apr 2023 18:15:13 +0200 -Subject: [PATCH] Fix generating policy for Crio mounts - -Fix issue introduced by -Commit 7c7b9ad505ab6b7cd809d30f1699d4bb7323ce0a -"Avoid duplicate rules for accessing mounts and devices" -where policy rules for "read-only mounts" are not generated properly. - -Adjust Crio basic test to incorporate a read only mount that is not -covered by a special case ("/home" is handled by "home_container" and -anything under "/var/lib/kubelet" is ignored). - -Thanks https://github.com/arcardon (jamjcardona@sbcglobal.net) for -spotting this in the code. - -Signed-off-by: Vit Mojzis ---- - tests/selinux.py | 4 ++++ - tests/test_basic.cri.cil | 6 +++++- - tests/test_basic.cri.json | 4 ++-- - tests/test_main.py | 4 ++-- - udica/policy.py | 2 +- - 5 files changed, 14 insertions(+), 6 deletions(-) - -diff --git a/tests/selinux.py b/tests/selinux.py -index f56d132..3f720a5 100644 ---- a/tests/selinux.py -+++ b/tests/selinux.py -@@ -25,6 +25,8 @@ def selabel_lookup(selabel, directory, rc): - return (0, None) - elif directory == "/dev/fb0": - return (0, "system_u:object_r:framebuf_device_t:s0") -+ elif directory == "/etc/hosts": -+ return (0, "system_u:object_r:net_conf_t:s0") - else: - return (0, "system_u:object_r:var_spool_t:s0") - -@@ -32,5 +34,7 @@ def selabel_lookup(selabel, directory, rc): - def getfilecon(directory): - if directory == "/tmp/test": - return (0, "system_u:object_r:user_tmp_t:s0") -+ elif directory == "/etc/hosts": -+ return (0, "system_u:object_r:net_conf_t:s0") - else: - return (0, "system_u:object_r:var_spool_t:s0") -diff --git a/tests/test_basic.cri.cil b/tests/test_basic.cri.cil -index 47a3705..52d5771 100644 ---- a/tests/test_basic.cri.cil -+++ b/tests/test_basic.cri.cil -@@ -250,4 +250,8 @@ - (allow process zoneminder_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write ))) - (allow process zoneminder_spool_t ( fifo_file ( getattr read write append ioctl lock open ))) - (allow process zoneminder_spool_t ( sock_file ( append getattr open read write ))) --) -\ No newline at end of file -+ (allow process net_conf_t ( dir ( getattr ioctl lock open read search ))) -+ (allow process net_conf_t ( file ( getattr ioctl lock open read ))) -+ (allow process net_conf_t ( fifo_file ( getattr open read lock ioctl ))) -+ (allow process net_conf_t ( sock_file ( getattr open read ))) -+) -diff --git a/tests/test_basic.cri.json b/tests/test_basic.cri.json -index e16f9aa..c21705d 100644 ---- a/tests/test_basic.cri.json -+++ b/tests/test_basic.cri.json -@@ -46,9 +46,9 @@ - }, - { - "containerPath": "/etc/hosts", -- "hostPath": "/var/lib/kubelet/pods/59ecb6eb-de09-11e9-8ebe-02e4204e049a/etc-hosts", -+ "hostPath": "/etc/hosts", - "propagation": "PROPAGATION_PRIVATE", -- "readonly": false, -+ "readonly": true, - "selinuxRelabel": false - }, - { -diff --git a/tests/test_main.py b/tests/test_main.py -index f32588b..fb6a9ab 100644 ---- a/tests/test_main.py -+++ b/tests/test_main.py -@@ -119,7 +119,7 @@ class TestBase(unittest.TestCase): - self.assert_policy(test_file("test_basic.docker.cil")) - - def test_basic_cri(self): -- """Start CRI-O mounting /var/spool with read/write perms and /home with readonly perms""" -+ """Start CRI-O mounting /var/spool with read/write perms and /home and /etc/hosts with readonly perms""" - output = self.run_udica( - [ - "udica", -@@ -135,7 +135,7 @@ class TestBase(unittest.TestCase): - self.assert_policy(test_file("test_basic.cri.cil")) - - def test_basic_specified_engine_cri(self): -- """Start CRI-O mounting /var/spool with read/write perms and /home with readonly perms""" -+ """Start CRI-O mounting /var/spool with read/write perms and /home and /etc/hosts with readonly perms""" - output = self.run_udica( - [ - "udica", -diff --git a/udica/policy.py b/udica/policy.py -index e32b077..9d1eae0 100644 ---- a/udica/policy.py -+++ b/udica/policy.py -@@ -284,7 +284,7 @@ def write_policy_for_crio_mounts(mounts, policy): - + " ))) \n" - ) - -- for contexts in sorted(set(contexts_readonly)): -+ for context in sorted(set(contexts_readonly)): - policy.write( - " (allow process " - + context --- -2.38.1 - diff --git a/sources b/sources index a1cf679..09d2fca 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (v0.2.7.tar.gz) = 03ff95f80317d09f980f89a7c415f0aeb6de965e64e9179969d2361d6a62ad243987e0355453a2c4ce4f4086834ea651644ccaa7eff1d82926000373040fa21d +SHA512 (v0.2.8.tar.gz) = 513d932cad65d75b5aa753f2b0e4a99c0f5fa930740c65c20343521bc74deca13b140a69b78ab001dcd144a14254d1dda8ca8989531070e545fddbb08c1e64f0 diff --git a/udica.spec b/udica.spec index 557bf3a..1a7a9fc 100644 --- a/udica.spec +++ b/udica.spec @@ -1,16 +1,9 @@ Summary: A tool for generating SELinux security policies for containers Name: udica -Version: 0.2.7 -Release: 7%{?dist} +Version: 0.2.8 +Release: 1%{?dist} Source0: https://github.com/containers/udica/archive/v%{version}.tar.gz #git format-patch -N 4a64ff7c1b8116a1894e72eee2a19706e970001f -- . ':!.cirrus.yml' ':!.github' -Patch0001: 0001-Add-device-access-option.patch -Patch0002: 0002-Syntax-changes-after-running-black.patch -Patch0003: 0003-Add-unit-test-for-device-access.patch -Patch0004: 0004-Rename-device-access-to-devices.patch -Patch0005: 0005-Show-diff-when-checking-formatting.patch -Patch0006: 0006-Fix-several-lint-findings.patch -Patch0007: 0007-Fix-generating-policy-for-Crio-mounts.patch License: GPL-3.0-or-later BuildArch: noarch Url: https://github.com/containers/udica @@ -66,6 +59,9 @@ install -m 0644 udica/man/man8/udica.8 %{buildroot}%{_mandir}/man8/udica.8 %endif %changelog +* Wed Nov 29 2023 Vit Mojzis - 0.2.8-1 +- New release + * Sat Jul 22 2023 Fedora Release Engineering - 0.2.7-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild