rpms/udica
7
0
Fork 0
Code Issues Pull Requests Releases Activity

udica-0.2.8

Browse Source 
New release https://github.com/containers/udica/releases/tag/v0.2.8
This commit is contained in:
Vit Mojzis 2023-11-29 12:36:32 +01:00
parent b6b5088980
commit 5e0609b1fe
10 changed files with 7 additions and 684 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -15,3 +15,4 @@
/v0.2.5.tar.gz /v0.2.5.tar.gz
/v0.2.6.tar.gz /v0.2.6.tar.gz
/v0.2.7.tar.gz /v0.2.7.tar.gz
/v0.2.8.tar.gz

49
0001-Add-device-access-option.patch
View File

@ -1,49 +0,0 @@
From a72b8fffc82657de85d20b3c9191d24a0b41e612 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Sk=C3=B8tt?= <martin@skoett.name>
Date: Thu, 11 Aug 2022 14:20:14 +0200
Subject: [PATCH] Add ---device--access option
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Martin Skøtt <martin@skoett.name>
---
udica/__main__.py | 8 ++++++++
udica/policy.py | 2 ++
2 files changed, 10 insertions(+)
diff --git a/udica/__main__.py b/udica/__main__.py
index d72a4b4..9cb276d 100644
--- a/udica/__main__.py
+++ b/udica/__main__.py
@@ -127,6 +127,14 @@ def get_args():
required=False,
default="-",
)
+ parser.add_argument(
+ "--device-access",
+ help='List of devices the container should have access to, e.g "--device-access /dev/dri/card0,/dev/dri/renderD128"',
+ required=False,
+ default=None,
+ type=str,
+ dest='DeviceAccess'
+ )
args = parser.parse_args()
return vars(args)
diff --git a/udica/policy.py b/udica/policy.py
index ec6ce20..0f1145a 100644
--- a/udica/policy.py
+++ b/udica/policy.py
@@ -173,6 +173,8 @@ def create_policy(
# devices
# Not applicable for CRI-O container engine
if inspect_format != "CRI-0":
+ if (not devices and opts["DeviceAccess"]):
+ devices = [{"PathOnHost": device} for device in opts["DeviceAccess"].split(',')]
write_policy_for_podman_devices(devices, policy)
# mounts
--
2.37.3

47
0002-Syntax-changes-after-running-black.patch
View File

@ -1,47 +0,0 @@
From a2f0e4588e010e9df9da7bbd46fa4304335f9b25 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Sk=C3=B8tt?= <martin@skoett.name>
Date: Thu, 11 Aug 2022 20:29:18 +0200
Subject: [PATCH] Syntax changes after running black
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Martin Skøtt <martin@skoett.name>
---
udica/__main__.py | 2 +-
udica/policy.py | 6 ++++--
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/udica/__main__.py b/udica/__main__.py
index 9cb276d..84e0ba4 100644
--- a/udica/__main__.py
+++ b/udica/__main__.py
@@ -133,7 +133,7 @@ def get_args():
required=False,
default=None,
type=str,
- dest='DeviceAccess'
+ dest="DeviceAccess",
)
args = parser.parse_args()
return vars(args)
diff --git a/udica/policy.py b/udica/policy.py
index 0f1145a..9b7a14f 100644
--- a/udica/policy.py
+++ b/udica/policy.py
@@ -173,8 +173,10 @@ def create_policy(
# devices
# Not applicable for CRI-O container engine
if inspect_format != "CRI-0":
- if (not devices and opts["DeviceAccess"]):
- devices = [{"PathOnHost": device} for device in opts["DeviceAccess"].split(',')]
+ if not devices and opts["DeviceAccess"]:
+ devices = [
+ {"PathOnHost": device} for device in opts["DeviceAccess"].split(",")
+ ]
write_policy_for_podman_devices(devices, policy)
# mounts
--
2.37.3

294
0003-Add-unit-test-for-device-access.patch
View File

@ -1,294 +0,0 @@
From 0d3e3194e26a21c531d13bde5e45c0bce9717a99 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Sk=C3=B8tt?= <martin@skoett.name>
Date: Thu, 11 Aug 2022 21:50:57 +0200
Subject: [PATCH] Add unit test for --device-access
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Martin Skøtt <martin@skoett.name>
---
tests/test_device_access.podman.json | 244 +++++++++++++++++++++++++++
tests/test_main.py | 15 ++
2 files changed, 259 insertions(+)
create mode 100644 tests/test_device_access.podman.json
diff --git a/tests/test_device_access.podman.json b/tests/test_device_access.podman.json
new file mode 100644
index 0000000..9a806a2
--- /dev/null
+++ b/tests/test_device_access.podman.json
@@ -0,0 +1,244 @@
+[
+ {
+ "Id": "68485406c4bbfd2b379beac7d80834a4ca94d7e74ada5019c7499afed62e1744",
+ "Created": "2022-08-11T20:54:51.026287311+02:00",
+ "Path": "/bin/bash",
+ "Args": [
+ "/bin/bash"
+ ],
+ "State": {
+ "OciVersion": "1.0.2-dev",
+ "Status": "exited",
+ "Running": false,
+ "Paused": false,
+ "Restarting": false,
+ "OOMKilled": false,
+ "Dead": false,
+ "Pid": 0,
+ "ExitCode": 0,
+ "Error": "",
+ "StartedAt": "2022-08-11T20:54:51.116938836+02:00",
+ "FinishedAt": "2022-08-11T20:54:51.1327839+02:00",
+ "Health": {
+ "Status": "",
+ "FailingStreak": 0,
+ "Log": null
+ },
+ "CheckpointedAt": "0001-01-01T00:00:00Z",
+ "RestoredAt": "0001-01-01T00:00:00Z"
+ },
+ "Image": "2ecb6df959942dd2fdeb65606ca2e42a54f8c06af10eeb594fdfc3e2656c53d1",
+ "ImageName": "registry.fedoraproject.org/fedora:latest",
+ "Rootfs": "",
+ "Pod": "",
+ "ResolvConfPath": "/run/user/1000/overlay-containers/68485406c4bbfd2b379beac7d80834a4ca94d7e74ada5019c7499afed62e1744/userdata/resolv.conf",
+ "HostnamePath": "/run/user/1000/overlay-containers/68485406c4bbfd2b379beac7d80834a4ca94d7e74ada5019c7499afed62e1744/userdata/hostname",
+ "HostsPath": "/run/user/1000/overlay-containers/68485406c4bbfd2b379beac7d80834a4ca94d7e74ada5019c7499afed62e1744/userdata/hosts",
+ "StaticDir": "/home/martin/.local/share/containers/storage/overlay-containers/68485406c4bbfd2b379beac7d80834a4ca94d7e74ada5019c7499afed62e1744/userdata",
+ "OCIConfigPath": "/home/martin/.local/share/containers/storage/overlay-containers/68485406c4bbfd2b379beac7d80834a4ca94d7e74ada5019c7499afed62e1744/userdata/config.json",
+ "OCIRuntime": "crun",
+ "ConmonPidFile": "/run/user/1000/overlay-containers/68485406c4bbfd2b379beac7d80834a4ca94d7e74ada5019c7499afed62e1744/userdata/conmon.pid",
+ "PidFile": "/run/user/1000/overlay-containers/68485406c4bbfd2b379beac7d80834a4ca94d7e74ada5019c7499afed62e1744/userdata/pidfile",
+ "Name": "charming_khorana",
+ "RestartCount": 0,
+ "Driver": "overlay",
+ "MountLabel": "system_u:object_r:container_file_t:s0:c8,c574",
+ "ProcessLabel": "system_u:system_r:container_t:s0:c8,c574",
+ "AppArmorProfile": "",
+ "EffectiveCaps": [
+ "CAP_CHOWN",
+ "CAP_DAC_OVERRIDE",
+ "CAP_FOWNER",
+ "CAP_FSETID",
+ "CAP_KILL",
+ "CAP_NET_BIND_SERVICE",
+ "CAP_SETFCAP",
+ "CAP_SETGID",
+ "CAP_SETPCAP",
+ "CAP_SETUID",
+ "CAP_SYS_CHROOT"
+ ],
+ "BoundingCaps": [
+ "CAP_CHOWN",
+ "CAP_DAC_OVERRIDE",
+ "CAP_FOWNER",
+ "CAP_FSETID",
+ "CAP_KILL",
+ "CAP_NET_BIND_SERVICE",
+ "CAP_SETFCAP",
+ "CAP_SETGID",
+ "CAP_SETPCAP",
+ "CAP_SETUID",
+ "CAP_SYS_CHROOT"
+ ],
+ "ExecIDs": [],
+ "GraphDriver": {
+ "Name": "overlay",
+ "Data": {
+ "LowerDir": "/home/martin/.local/share/containers/storage/overlay/1da06ca5080c2ce2499e2f9802259209c7dd85c92d64852c3165425cdc18c443/diff",
+ "UpperDir": "/home/martin/.local/share/containers/storage/overlay/98294044df8fadc428b8a41befc0c83d574601b56076c62ce7fa93df6c48f8dc/diff",
+ "WorkDir": "/home/martin/.local/share/containers/storage/overlay/98294044df8fadc428b8a41befc0c83d574601b56076c62ce7fa93df6c48f8dc/work"
+ }
+ },
+ "Mounts": [],
+ "Dependencies": [],
+ "NetworkSettings": {
+ "EndpointID": "",
+ "Gateway": "",
+ "IPAddress": "",
+ "IPPrefixLen": 0,
+ "IPv6Gateway": "",
+ "GlobalIPv6Address": "",
+ "GlobalIPv6PrefixLen": 0,
+ "MacAddress": "",
+ "Bridge": "",
+ "SandboxID": "",
+ "HairpinMode": false,
+ "LinkLocalIPv6Address": "",
+ "LinkLocalIPv6PrefixLen": 0,
+ "Ports": {},
+ "SandboxKey": ""
+ },
+ "Namespace": "",
+ "IsInfra": false,
+ "Config": {
+ "Hostname": "68485406c4bb",
+ "Domainname": "",
+ "User": "",
+ "AttachStdin": false,
+ "AttachStdout": false,
+ "AttachStderr": false,
+ "Tty": false,
+ "OpenStdin": false,
+ "StdinOnce": false,
+ "Env": [
+ "FGC=f36",
+ "DISTTAG=f36container",
+ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+ "TERM=xterm",
+ "container=oci",
+ "HOME=/root",
+ "HOSTNAME=68485406c4bb"
+ ],
+ "Cmd": [
+ "/bin/bash"
+ ],
+ "Image": "registry.fedoraproject.org/fedora:latest",
+ "Volumes": null,
+ "WorkingDir": "/",
+ "Entrypoint": "",
+ "OnBuild": null,
+ "Labels": {
+ "license": "MIT",
+ "name": "fedora",
+ "vendor": "Fedora Project",
+ "version": "36"
+ },
+ "Annotations": {
+ "io.container.manager": "libpod",
+ "io.kubernetes.cri-o.Created": "2022-08-11T20:54:51.026287311+02:00",
+ "io.kubernetes.cri-o.TTY": "false",
+ "io.podman.annotations.autoremove": "FALSE",
+ "io.podman.annotations.init": "FALSE",
+ "io.podman.annotations.privileged": "FALSE",
+ "io.podman.annotations.publish-all": "FALSE",
+ "org.opencontainers.image.stopSignal": "15"
+ },
+ "StopSignal": 15,
+ "CreateCommand": [
+ "podman",
+ "run",
+ "--device",
+ "/dev/fb0",
+ "fedora"
+ ],
+ "Umask": "0022",
+ "Timeout": 0,
+ "StopTimeout": 10,
+ "Passwd": true
+ },
+ "HostConfig": {
+ "Binds": [],
+ "CgroupManager": "systemd",
+ "CgroupMode": "private",
+ "ContainerIDFile": "",
+ "LogConfig": {
+ "Type": "journald",
+ "Config": null,
+ "Path": "",
+ "Tag": "",
+ "Size": "0B"
+ },
+ "NetworkMode": "slirp4netns",
+ "PortBindings": {},
+ "RestartPolicy": {
+ "Name": "",
+ "MaximumRetryCount": 0
+ },
+ "AutoRemove": false,
+ "VolumeDriver": "",
+ "VolumesFrom": null,
+ "CapAdd": [],
+ "CapDrop": [
+ "CAP_AUDIT_WRITE",
+ "CAP_MKNOD",
+ "CAP_NET_RAW"
+ ],
+ "Dns": [],
+ "DnsOptions": [],
+ "DnsSearch": [],
+ "ExtraHosts": [],
+ "GroupAdd": [],
+ "IpcMode": "shareable",
+ "Cgroup": "",
+ "Cgroups": "default",
+ "Links": null,
+ "OomScoreAdj": 0,
+ "PidMode": "private",
+ "Privileged": false,
+ "PublishAllPorts": false,
+ "ReadonlyRootfs": false,
+ "SecurityOpt": [],
+ "Tmpfs": {},
+ "UTSMode": "private",
+ "UsernsMode": "",
+ "ShmSize": 65536000,
+ "Runtime": "oci",
+ "ConsoleSize": [
+ 0,
+ 0
+ ],
+ "Isolation": "",
+ "CpuShares": 0,
+ "Memory": 0,
+ "NanoCpus": 0,
+ "CgroupParent": "user.slice",
+ "BlkioWeight": 0,
+ "BlkioWeightDevice": null,
+ "BlkioDeviceReadBps": null,
+ "BlkioDeviceWriteBps": null,
+ "BlkioDeviceReadIOps": null,
+ "BlkioDeviceWriteIOps": null,
+ "CpuPeriod": 0,
+ "CpuQuota": 0,
+ "CpuRealtimePeriod": 0,
+ "CpuRealtimeRuntime": 0,
+ "CpusetCpus": "",
+ "CpusetMems": "",
+ "Devices": [],
+ "DiskQuota": 0,
+ "KernelMemory": 0,
+ "MemoryReservation": 0,
+ "MemorySwap": 0,
+ "MemorySwappiness": 0,
+ "OomKillDisable": false,
+ "PidsLimit": 2048,
+ "Ulimits": [],
+ "CpuCount": 0,
+ "CpuPercent": 0,
+ "IOMaximumIOps": 0,
+ "IOMaximumBandwidth": 0,
+ "CgroupConf": null
+ }
+ }
+]
diff --git a/tests/test_main.py b/tests/test_main.py
index 6b30dc4..bc17cc2 100644
--- a/tests/test_main.py
+++ b/tests/test_main.py
@@ -354,6 +354,21 @@ class TestBase(unittest.TestCase):
self.assert_templates(output, ["base_container"])
self.assert_policy(test_file("test_devices.podman.cil"))
+ def test_device_access_podman(self):
+ """podman run --device /dev/fb0 fedora"""
+ output = self.run_udica(
+ [
+ "udica",
+ "-j",
+ "tests/test_devices.podman.json",
+ "--device-access",
+ "/dev/fd0",
+ "my_container",
+ ]
+ )
+ self.assert_templates(output, ["base_container"])
+ self.assert_policy(test_file("test_devices.podman.cil"))
+
def run_udica(self, args):
with patch("sys.argv", args):
with patch("sys.stderr.write") as mock_err, patch(
--
2.37.3

101
0004-Rename-device-access-to-devices.patch
View File

@ -1,101 +0,0 @@
From 34c0f137583001c5b7b0f8bf681b027aeff109cb Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Wed, 19 Oct 2022 16:34:46 +0200
Subject: [PATCH] Rename --device-access to --devices
This makes parameters more consistent.
Also, describe the new parameter in man page.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
tests/test_main.py | 4 ++--
udica/__main__.py | 16 ++++++++--------
udica/man/man8/udica.8 | 5 +++++
udica/policy.py | 6 ++----
4 files changed, 17 insertions(+), 14 deletions(-)
diff --git a/tests/test_main.py b/tests/test_main.py
index bc17cc2..f32588b 100644
--- a/tests/test_main.py
+++ b/tests/test_main.py
@@ -361,8 +361,8 @@ class TestBase(unittest.TestCase):
"udica",
"-j",
"tests/test_devices.podman.json",
- "--device-access",
- "/dev/fd0",
+ "--devices",
+ "/dev/fb0",
"my_container",
]
)
diff --git a/udica/__main__.py b/udica/__main__.py
index 84e0ba4..103ddc2 100644
--- a/udica/__main__.py
+++ b/udica/__main__.py
@@ -99,6 +99,14 @@ def get_args():
dest="Caps",
default=None,
)
+ parser.add_argument(
+ "--devices",
+ type=str,
+ help='List of devices the container should have access to, e.g "--devices /dev/dri/card0,/dev/dri/renderD128"',
+ dest="Devices",
+ required=False,
+ default=None,
+ )
parser.add_argument(
"-d",
"--ansible",
@@ -127,14 +135,6 @@ def get_args():
required=False,
default="-",
)
- parser.add_argument(
- "--device-access",
- help='List of devices the container should have access to, e.g "--device-access /dev/dri/card0,/dev/dri/renderD128"',
- required=False,
- default=None,
- type=str,
- dest="DeviceAccess",
- )
args = parser.parse_args()
return vars(args)
diff --git a/udica/man/man8/udica.8 b/udica/man/man8/udica.8
index 8c3a48e..c7158ff 100644
--- a/udica/man/man8/udica.8
+++ b/udica/man/man8/udica.8
@@ -53,6 +53,11 @@ Load templates and module created by this tool
List of capabilities, for example: "\-c AUDIT\_WRITE,CHOWN,DAC\_OVERRIDE,FOWNER,FSETID,KILL"
(mandatory to use for Docker Engine, see the BUGS section)
+.TP
+.I \-\-devices DEVS
+List of devices the container should have access to, e.g "\-\-devices /dev/dri/card0,/dev/dri/renderD128"
+(overrides devices specified in the conatiner JSON)
+
.TP
.I \-a, \-\-append-rules FILE
Append more SELinux allow rules generated from SELinux denials in audit daemon.
diff --git a/udica/policy.py b/udica/policy.py
index 9b7a14f..9069c97 100644
--- a/udica/policy.py
+++ b/udica/policy.py
@@ -173,10 +173,8 @@ def create_policy(
# devices
# Not applicable for CRI-O container engine
if inspect_format != "CRI-0":
- if not devices and opts["DeviceAccess"]:
- devices = [
- {"PathOnHost": device} for device in opts["DeviceAccess"].split(",")
- ]
+ if opts["Devices"]:
+ devices = [{"PathOnHost": device} for device in opts["Devices"].split(",")]
write_policy_for_podman_devices(devices, policy)
# mounts
--
2.37.3

29
0005-Show-diff-when-checking-formatting.patch
View File

@ -1,29 +0,0 @@
From 07ff36fd09cb20196691a80b5dc1e544b64f12f3 Mon Sep 17 00:00:00 2001
From: Chris Evich <cevich@redhat.com>
Date: Wed, 29 Mar 2023 15:25:49 -0400
Subject: [PATCH] Show diff when checking formatting
Otherwise, all you get in CI is a failure notice w/o any indication as
to why.
Signed-off-by: Chris Evich <cevich@redhat.com>
---
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index 2b2eda9..4d3b55e 100644
--- a/Makefile
+++ b/Makefile
@@ -16,7 +16,7 @@ format:
.PHONY:
format-check:
- black --check *.py udica/*.py tests/*.py
+ black --check --diff *.py udica/*.py tests/*.py
.PHONY: test
test: lint format-check
--
2.37.3

38
0006-Fix-several-lint-findings.patch
View File

@ -1,38 +0,0 @@
From 5d6feb3a6c900d119732a20145352b2459fafcde Mon Sep 17 00:00:00 2001
From: Chris Evich <cevich@redhat.com>
Date: Wed, 29 Mar 2023 15:34:13 -0400
Subject: [PATCH] Fix several lint findings
Signed-off-by: Chris Evich <cevich@redhat.com>
---
udica/__main__.py | 1 -
udica/policy.py | 1 -
2 files changed, 2 deletions(-)
diff --git a/udica/__main__.py b/udica/__main__.py
index 103ddc2..43d2e43 100644
--- a/udica/__main__.py
+++ b/udica/__main__.py
@@ -140,7 +140,6 @@ def get_args():
def main():
-
opts = get_args()
if opts["ContainerID"]:
diff --git a/udica/policy.py b/udica/policy.py
index 9069c97..e32b077 100644
--- a/udica/policy.py
+++ b/udica/policy.py
@@ -88,7 +88,6 @@ def list_contexts(directory):
def list_ports(port_number, port_proto):
-
handle = semanage.semanage_handle_create()
semanage.semanage_connect(handle)
--
2.37.3

116
0007-Fix-generating-policy-for-Crio-mounts.patch
View File

@ -1,116 +0,0 @@
From 6a7382bead93a1777370e4bf37f545a22f3bfb4c Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 11 Apr 2023 18:15:13 +0200
Subject: [PATCH] Fix generating policy for Crio mounts
Fix issue introduced by
Commit 7c7b9ad505ab6b7cd809d30f1699d4bb7323ce0a
"Avoid duplicate rules for accessing mounts and devices"
where policy rules for "read-only mounts" are not generated properly.
Adjust Crio basic test to incorporate a read only mount that is not
covered by a special case ("/home" is handled by "home_container" and
anything under "/var/lib/kubelet" is ignored).
Thanks https://github.com/arcardon (jamjcardona@sbcglobal.net) for
spotting this in the code.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
tests/selinux.py | 4 ++++
tests/test_basic.cri.cil | 6 +++++-
tests/test_basic.cri.json | 4 ++--
tests/test_main.py | 4 ++--
udica/policy.py | 2 +-
5 files changed, 14 insertions(+), 6 deletions(-)
diff --git a/tests/selinux.py b/tests/selinux.py
index f56d132..3f720a5 100644
--- a/tests/selinux.py
+++ b/tests/selinux.py
@@ -25,6 +25,8 @@ def selabel_lookup(selabel, directory, rc):
return (0, None)
elif directory == "/dev/fb0":
return (0, "system_u:object_r:framebuf_device_t:s0")
+ elif directory == "/etc/hosts":
+ return (0, "system_u:object_r:net_conf_t:s0")
else:
return (0, "system_u:object_r:var_spool_t:s0")
@@ -32,5 +34,7 @@ def selabel_lookup(selabel, directory, rc):
def getfilecon(directory):
if directory == "/tmp/test":
return (0, "system_u:object_r:user_tmp_t:s0")
+ elif directory == "/etc/hosts":
+ return (0, "system_u:object_r:net_conf_t:s0")
else:
return (0, "system_u:object_r:var_spool_t:s0")
diff --git a/tests/test_basic.cri.cil b/tests/test_basic.cri.cil
index 47a3705..52d5771 100644
--- a/tests/test_basic.cri.cil
+++ b/tests/test_basic.cri.cil
@@ -250,4 +250,8 @@
(allow process zoneminder_spool_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write )))
(allow process zoneminder_spool_t ( fifo_file ( getattr read write append ioctl lock open )))
(allow process zoneminder_spool_t ( sock_file ( append getattr open read write )))
-)
\ No newline at end of file
+ (allow process net_conf_t ( dir ( getattr ioctl lock open read search )))
+ (allow process net_conf_t ( file ( getattr ioctl lock open read )))
+ (allow process net_conf_t ( fifo_file ( getattr open read lock ioctl )))
+ (allow process net_conf_t ( sock_file ( getattr open read )))
+)
diff --git a/tests/test_basic.cri.json b/tests/test_basic.cri.json
index e16f9aa..c21705d 100644
--- a/tests/test_basic.cri.json
+++ b/tests/test_basic.cri.json
@@ -46,9 +46,9 @@
},
{
"containerPath": "/etc/hosts",
- "hostPath": "/var/lib/kubelet/pods/59ecb6eb-de09-11e9-8ebe-02e4204e049a/etc-hosts",
+ "hostPath": "/etc/hosts",
"propagation": "PROPAGATION_PRIVATE",
- "readonly": false,
+ "readonly": true,
"selinuxRelabel": false
},
{
diff --git a/tests/test_main.py b/tests/test_main.py
index f32588b..fb6a9ab 100644
--- a/tests/test_main.py
+++ b/tests/test_main.py
@@ -119,7 +119,7 @@ class TestBase(unittest.TestCase):
self.assert_policy(test_file("test_basic.docker.cil"))
def test_basic_cri(self):
- """Start CRI-O mounting /var/spool with read/write perms and /home with readonly perms"""
+ """Start CRI-O mounting /var/spool with read/write perms and /home and /etc/hosts with readonly perms"""
output = self.run_udica(
[
"udica",
@@ -135,7 +135,7 @@ class TestBase(unittest.TestCase):
self.assert_policy(test_file("test_basic.cri.cil"))
def test_basic_specified_engine_cri(self):
- """Start CRI-O mounting /var/spool with read/write perms and /home with readonly perms"""
+ """Start CRI-O mounting /var/spool with read/write perms and /home and /etc/hosts with readonly perms"""
output = self.run_udica(
[
"udica",
diff --git a/udica/policy.py b/udica/policy.py
index e32b077..9d1eae0 100644
--- a/udica/policy.py
+++ b/udica/policy.py
@@ -284,7 +284,7 @@ def write_policy_for_crio_mounts(mounts, policy):
+ " ))) \n"
)
- for contexts in sorted(set(contexts_readonly)):
+ for context in sorted(set(contexts_readonly)):
policy.write(
" (allow process "
+ context
--
2.38.1

2
sources
View File

@ -1 +1 @@
SHA512 (v0.2.7.tar.gz) = 03ff95f80317d09f980f89a7c415f0aeb6de965e64e9179969d2361d6a62ad243987e0355453a2c4ce4f4086834ea651644ccaa7eff1d82926000373040fa21d SHA512 (v0.2.8.tar.gz) = 513d932cad65d75b5aa753f2b0e4a99c0f5fa930740c65c20343521bc74deca13b140a69b78ab001dcd144a14254d1dda8ca8989531070e545fddbb08c1e64f0

14
udica.spec
View File

@ -1,16 +1,9 @@
Summary: A tool for generating SELinux security policies for containers Summary: A tool for generating SELinux security policies for containers
Name: udica Name: udica
Version: 0.2.7 Version: 0.2.8
Release: 7%{?dist} Release: 1%{?dist}
Source0: https://github.com/containers/udica/archive/v%{version}.tar.gz Source0: https://github.com/containers/udica/archive/v%{version}.tar.gz
#git format-patch -N 4a64ff7c1b8116a1894e72eee2a19706e970001f -- . ':!.cirrus.yml' ':!.github' #git format-patch -N 4a64ff7c1b8116a1894e72eee2a19706e970001f -- . ':!.cirrus.yml' ':!.github'
Patch0001: 0001-Add-device-access-option.patch
Patch0002: 0002-Syntax-changes-after-running-black.patch
Patch0003: 0003-Add-unit-test-for-device-access.patch
Patch0004: 0004-Rename-device-access-to-devices.patch
Patch0005: 0005-Show-diff-when-checking-formatting.patch
Patch0006: 0006-Fix-several-lint-findings.patch
Patch0007: 0007-Fix-generating-policy-for-Crio-mounts.patch
License: GPL-3.0-or-later License: GPL-3.0-or-later
BuildArch: noarch BuildArch: noarch
Url: https://github.com/containers/udica Url: https://github.com/containers/udica
@ -66,6 +59,9 @@ install -m 0644 udica/man/man8/udica.8 %{buildroot}%{_mandir}/man8/udica.8
%endif %endif
%changelog %changelog
* Wed Nov 29 2023 Vit Mojzis <vmojzis@redhat.com> - 0.2.8-1
- New release
* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.2.7-7 * Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.2.7-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild