Compare commits

..

No commits in common. "c8-stream-2.0" and "c8s-stream-rhel8" have entirely different histories.

4 changed files with 183 additions and 9 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/v0.2.1.tar.gz SOURCES/v0.2.6.tar.gz

View File

@ -1 +1 @@
4040bc2746225acabf5c7038d8eb38ae2de30ac2 SOURCES/v0.2.1.tar.gz c14134162d47822f6659ecfc955a498171e9d08d SOURCES/v0.2.6.tar.gz

View File

@ -0,0 +1,133 @@
From dd05dbe742384dd22f4a63889c56cb75e4e2f571 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 9 Nov 2021 18:04:39 +0100
Subject: [PATCH] Make sure each section of the inspect exists before accessing
Fixes: https://github.com/containers/udica/issues/105,
https://github.com/containers/udica/issues/103
Inspired by:
https://github.com/WellIDKRealy/udica/commit/0c56d98b8c58a8a4ceb89b04d700c834c13778fd
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
udica/parse.py | 62 ++++++++++++++++++++++++++++++++++++++------------
1 file changed, 48 insertions(+), 14 deletions(-)
diff --git a/udica/parse.py b/udica/parse.py
index 0797095..59b3dc5 100644
--- a/udica/parse.py
+++ b/udica/parse.py
@@ -29,6 +29,24 @@ ENGINE_DOCKER = "docker"
ENGINE_ALL = [ENGINE_PODMAN, ENGINE_CRIO, ENGINE_DOCKER]
+# Decorator for verifying that getting value from "data" won't
+# result in Key error or Type error
+# e.g. in data[0]["HostConfig"]["Devices"]
+# missing "HostConfig" key in data[0] produces KeyError and
+# data[0]["HostConfig"] == none produces TypeError
+def getter_decorator(function):
+ # Verify that each element in path exists and return the corresponding value,
+ # otherwise return [] -- can be safely processed by iterators
+ def wrapper(self, data, *args):
+ try:
+ value = function(self, data, *args)
+ return value if value else []
+ except (KeyError, TypeError):
+ return []
+
+ return wrapper
+
+
def json_is_podman_or_docker_format(json_rep):
"""Check if the inspected file is in a format from docker or podman.
@@ -91,19 +109,22 @@ class EngineHelper(abc.ABC):
def get_caps(self, data, opts):
if opts["Caps"]:
- if opts["Caps"] == "None":
+ if opts["Caps"] in ["None", "none"]:
return []
return opts["Caps"].split(",")
return []
class PodmanDockerHelper(EngineHelper):
+ @getter_decorator
def get_devices(self, data):
return data[0]["HostConfig"]["Devices"]
+ @getter_decorator
def get_mounts(self, data):
return data[0]["Mounts"]
+ @getter_decorator
def get_ports(self, data):
ports = []
for key, value in data[0]["NetworkSettings"]["Ports"].items():
@@ -120,8 +141,13 @@ class PodmanHelper(PodmanDockerHelper):
def __init__(self):
super().__init__(ENGINE_PODMAN)
+ @getter_decorator
def get_caps(self, data, opts):
- if not opts["Caps"]:
+ if opts["Caps"]:
+ return (
+ opts["Caps"].split(",") if opts["Caps"] not in ["None", "none"] else []
+ )
+ else:
return data[0]["EffectiveCaps"]
return []
@@ -138,18 +164,25 @@ class DockerHelper(PodmanDockerHelper):
def adjust_json_from_docker(self, json_rep):
"""If the json comes from a docker call, we need to adjust it to make use
of it."""
-
- if not isinstance(json_rep[0]["NetworkSettings"]["Ports"], dict):
- raise Exception(
- "Error parsing docker engine inspection JSON structure, try to specify container engine using '--container-engine' parameter"
- )
-
- for item in json_rep[0]["Mounts"]:
- item["source"] = item["Source"]
- if item["Mode"] == "rw":
- item["options"] = "rw"
- if item["Mode"] == "ro":
- item["options"] = "ro"
+ try:
+ if not isinstance(json_rep[0]["NetworkSettings"]["Ports"], dict):
+ raise Exception(
+ "Error parsing docker engine inspection JSON structure, try to specify container engine using '--container-engine' parameter"
+ )
+ except (KeyError, TypeError):
+ # "Ports" not specified in given json file
+ pass
+
+ try:
+ for item in json_rep[0]["Mounts"]:
+ item["source"] = item["Source"]
+ if item["Mode"] == "rw":
+ item["options"] = "rw"
+ if item["Mode"] == "ro":
+ item["options"] = "ro"
+ except (KeyError, TypeError):
+ # "Mounts" not specified in given json file
+ pass
class CrioHelper(EngineHelper):
@@ -161,6 +194,7 @@ class CrioHelper(EngineHelper):
# bind mounting device on the container
return []
+ @getter_decorator
def get_mounts(self, data):
return data["status"]["mounts"]
--
2.30.2

View File

@ -1,8 +1,9 @@
Summary: A tool for generating SELinux security policies for containers Summary: A tool for generating SELinux security policies for containers
Name: udica Name: udica
Version: 0.2.1 Version: 0.2.6
Release: 2%{?dist} Release: 4%{?dist}
Source0: https://github.com/containers/udica/archive/v%{version}.tar.gz Source0: https://github.com/containers/udica/archive/v%{version}.tar.gz
Patch0: 0001-Make-sure-each-section-of-the-inspect-exists-before-.patch
License: GPLv3+ License: GPLv3+
BuildArch: noarch BuildArch: noarch
Url: https://github.com/containers/udica Url: https://github.com/containers/udica
@ -13,13 +14,15 @@ Requires: python3 python3-libsemanage python3-libselinux
BuildRequires: python2 python2-devel python2-setuptools BuildRequires: python2 python2-devel python2-setuptools
Requires: python2 libsemanage-python libselinux-python Requires: python2 libsemanage-python libselinux-python
%endif %endif
# container-selinux provides policy templates
Requires: container-selinux >= 2.168.0-2
%description %description
Tool for generating SELinux security profiles for containers based on Tool for generating SELinux security profiles for containers based on
inspection of container JSON file. inspection of container JSON file.
%prep %prep
%setup -q %autosetup -p 1
%build %build
%if 0%{?fedora} || 0%{?rhel} > 7 %if 0%{?fedora} || 0%{?rhel} > 7
@ -29,8 +32,6 @@ inspection of container JSON file.
%endif %endif
%install %install
install --directory %%{buildroot}%{_datadir}/udica/templates
%if 0%{?fedora} || 0%{?rhel} > 7 %if 0%{?fedora} || 0%{?rhel} > 7
%{__python3} setup.py install --single-version-externally-managed --root=%{buildroot} %{__python3} setup.py install --single-version-externally-managed --root=%{buildroot}
%else %else
@ -45,9 +46,7 @@ install -m 0644 udica/man/man8/udica.8 %{buildroot}%{_mandir}/man8/udica.8
%{_bindir}/udica %{_bindir}/udica
%dir %{_datadir}/udica %dir %{_datadir}/udica
%dir %{_datadir}/udica/ansible %dir %{_datadir}/udica/ansible
%dir %{_datadir}/udica/templates
%{_datadir}/udica/ansible/* %{_datadir}/udica/ansible/*
%{_datadir}/udica/templates/*
%if 0%{?fedora} || 0%{?rhel} > 7 %if 0%{?fedora} || 0%{?rhel} > 7
%license LICENSE %license LICENSE
@ -60,6 +59,48 @@ install -m 0644 udica/man/man8/udica.8 %{buildroot}%{_mandir}/man8/udica.8
%endif %endif
%changelog %changelog
* Fri Nov 18 2022 Jindrich Novy <jnovy@redhat.com> - 0.2.6-4
- Bump release to match latest release available in rhel-8.6.1
- Resolves: #2139052
* Wed Dec 01 2021 Vit Mojzis <vmojzis@redhat.com> - 0.2.6-3
- Make sure each section of the inspect exists before accessing (#2027662)
* Tue Sep 21 2021 Vit Mojzis <vmojzis@redhat.com> - 0.2.6-2
- Require container-selinux shipping policy templates (#2005866)
* Fri Sep 17 2021 Jindrich Novy <jnovy@redhat.com> - 0.2.6-1
- update to https://github.com/containers/udica/releases/tag/v0.2.6
- Related: #2001445
* Fri Aug 27 2021 Jindrich Novy <jnovy@redhat.com> - 0.2.5-2
- New rebase https://github.com/containers/udica/releases/tag/v0.2.5 (#1995041)
- Replace capability dictionary with str.lower()
- Enable udica to generate policies with fifo class
- Sort container inspect data before processing
- Update templates to work properly with new cil parser
- Related: #1934415
* Thu Aug 26 2021 Jindrich Novy <jnovy@redhat.com> - 0.2.5-1
- update to https://github.com/containers/udica/releases/tag/v0.2.5
- Related: #1934415
* Tue Jun 15 2021 Jindrich Novy <jnovy@redhat.com> - 0.2.4-2
- remove %%check again and all related BRs
- Related: #1934415
* Thu Nov 26 2020 Jindrich Novy <jnovy@redhat.com> - 0.2.4-1
- update to https://github.com/containers/udica/releases/tag/v0.2.4
- Related: #1883490
* Wed Oct 21 2020 Jindrich Novy <jnovy@redhat.com> - 0.2.3-1
- synchronize with stream-container-tools-rhel8
- Related: #1883490
* Mon Aug 10 2020 Jindrich Novy <jnovy@redhat.com> - 0.2.2-1
- https://github.com/containers/udica/releases/tag/v0.2.2
- Related: #1821193
* Tue Nov 26 2019 Jindrich Novy <jnovy@redhat.com> - 0.2.1-2 * Tue Nov 26 2019 Jindrich Novy <jnovy@redhat.com> - 0.2.1-2
- initial import to container-tools 8.2.0 - initial import to container-tools 8.2.0
- Related: RHELPLAN-25139 - Related: RHELPLAN-25139