diff --git a/.gitignore b/.gitignore index 2fe2416..bb88f31 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/v0.2.6.tar.gz +SOURCES/v0.2.8.tar.gz diff --git a/.udica.metadata b/.udica.metadata index 8333776..ee7e2e1 100644 --- a/.udica.metadata +++ b/.udica.metadata @@ -1 +1 @@ -c14134162d47822f6659ecfc955a498171e9d08d SOURCES/v0.2.6.tar.gz +033cad13d38db7fcb03b004ac3e60cba8c3166d0 SOURCES/v0.2.8.tar.gz diff --git a/SOURCES/0001-Make-sure-each-section-of-the-inspect-exists-before-.patch b/SOURCES/0001-Make-sure-each-section-of-the-inspect-exists-before-.patch deleted file mode 100644 index aed4008..0000000 --- a/SOURCES/0001-Make-sure-each-section-of-the-inspect-exists-before-.patch +++ /dev/null @@ -1,133 +0,0 @@ -From dd05dbe742384dd22f4a63889c56cb75e4e2f571 Mon Sep 17 00:00:00 2001 -From: Vit Mojzis -Date: Tue, 9 Nov 2021 18:04:39 +0100 -Subject: [PATCH] Make sure each section of the inspect exists before accessing - -Fixes: https://github.com/containers/udica/issues/105, - https://github.com/containers/udica/issues/103 - -Inspired by: -https://github.com/WellIDKRealy/udica/commit/0c56d98b8c58a8a4ceb89b04d700c834c13778fd - -Signed-off-by: Vit Mojzis ---- - udica/parse.py | 62 ++++++++++++++++++++++++++++++++++++++------------ - 1 file changed, 48 insertions(+), 14 deletions(-) - -diff --git a/udica/parse.py b/udica/parse.py -index 0797095..59b3dc5 100644 ---- a/udica/parse.py -+++ b/udica/parse.py -@@ -29,6 +29,24 @@ ENGINE_DOCKER = "docker" - ENGINE_ALL = [ENGINE_PODMAN, ENGINE_CRIO, ENGINE_DOCKER] - - -+# Decorator for verifying that getting value from "data" won't -+# result in Key error or Type error -+# e.g. in data[0]["HostConfig"]["Devices"] -+# missing "HostConfig" key in data[0] produces KeyError and -+# data[0]["HostConfig"] == none produces TypeError -+def getter_decorator(function): -+ # Verify that each element in path exists and return the corresponding value, -+ # otherwise return [] -- can be safely processed by iterators -+ def wrapper(self, data, *args): -+ try: -+ value = function(self, data, *args) -+ return value if value else [] -+ except (KeyError, TypeError): -+ return [] -+ -+ return wrapper -+ -+ - def json_is_podman_or_docker_format(json_rep): - """Check if the inspected file is in a format from docker or podman. - -@@ -91,19 +109,22 @@ class EngineHelper(abc.ABC): - - def get_caps(self, data, opts): - if opts["Caps"]: -- if opts["Caps"] == "None": -+ if opts["Caps"] in ["None", "none"]: - return [] - return opts["Caps"].split(",") - return [] - - - class PodmanDockerHelper(EngineHelper): -+ @getter_decorator - def get_devices(self, data): - return data[0]["HostConfig"]["Devices"] - -+ @getter_decorator - def get_mounts(self, data): - return data[0]["Mounts"] - -+ @getter_decorator - def get_ports(self, data): - ports = [] - for key, value in data[0]["NetworkSettings"]["Ports"].items(): -@@ -120,8 +141,13 @@ class PodmanHelper(PodmanDockerHelper): - def __init__(self): - super().__init__(ENGINE_PODMAN) - -+ @getter_decorator - def get_caps(self, data, opts): -- if not opts["Caps"]: -+ if opts["Caps"]: -+ return ( -+ opts["Caps"].split(",") if opts["Caps"] not in ["None", "none"] else [] -+ ) -+ else: - return data[0]["EffectiveCaps"] - return [] - -@@ -138,18 +164,25 @@ class DockerHelper(PodmanDockerHelper): - def adjust_json_from_docker(self, json_rep): - """If the json comes from a docker call, we need to adjust it to make use - of it.""" -- -- if not isinstance(json_rep[0]["NetworkSettings"]["Ports"], dict): -- raise Exception( -- "Error parsing docker engine inspection JSON structure, try to specify container engine using '--container-engine' parameter" -- ) -- -- for item in json_rep[0]["Mounts"]: -- item["source"] = item["Source"] -- if item["Mode"] == "rw": -- item["options"] = "rw" -- if item["Mode"] == "ro": -- item["options"] = "ro" -+ try: -+ if not isinstance(json_rep[0]["NetworkSettings"]["Ports"], dict): -+ raise Exception( -+ "Error parsing docker engine inspection JSON structure, try to specify container engine using '--container-engine' parameter" -+ ) -+ except (KeyError, TypeError): -+ # "Ports" not specified in given json file -+ pass -+ -+ try: -+ for item in json_rep[0]["Mounts"]: -+ item["source"] = item["Source"] -+ if item["Mode"] == "rw": -+ item["options"] = "rw" -+ if item["Mode"] == "ro": -+ item["options"] = "ro" -+ except (KeyError, TypeError): -+ # "Mounts" not specified in given json file -+ pass - - - class CrioHelper(EngineHelper): -@@ -161,6 +194,7 @@ class CrioHelper(EngineHelper): - # bind mounting device on the container - return [] - -+ @getter_decorator - def get_mounts(self, data): - return data["status"]["mounts"] - --- -2.30.2 - diff --git a/SPECS/udica.spec b/SPECS/udica.spec index 9826483..6e60c7f 100644 --- a/SPECS/udica.spec +++ b/SPECS/udica.spec @@ -1,9 +1,8 @@ Summary: A tool for generating SELinux security policies for containers Name: udica -Version: 0.2.6 -Release: 30%{?dist} +Version: 0.2.8 +Release: 1%{?dist} Source0: https://github.com/containers/udica/archive/v%{version}.tar.gz -Patch0: 0001-Make-sure-each-section-of-the-inspect-exists-before-.patch License: GPLv3+ BuildArch: noarch Url: https://github.com/containers/udica @@ -59,6 +58,15 @@ install -m 0644 udica/man/man8/udica.8 %{buildroot}%{_mandir}/man8/udica.8 %endif %changelog +* Thu Nov 30 2023 Vit Mojzis - 0.2.8-1 +- Improve code readability based on lint and black findings +- Fix generating policy for Crio mounts +- Add --devices option +- v0.2.7 release changes: +- Improve label collection for mounts and devices (RHEL-16245) +- Add support for containerd via "nerdctl inspect" +- Avoid duplicate rules for accessing mounts and devices + * Fri Jan 27 2023 Vit Mojzis - 0.2.6-30 - Bump release to preserve upgrade path (#2160401)