Compare commits

..

No commits in common. "c8-stream-2.0" and "imports/c9-beta/udica-0.2.6-30.el9_1" have entirely different histories.

4 changed files with 235 additions and 23 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/v0.2.1.tar.gz SOURCES/v0.2.6.tar.gz

View File

@ -1 +1 @@
4040bc2746225acabf5c7038d8eb38ae2de30ac2 SOURCES/v0.2.1.tar.gz c14134162d47822f6659ecfc955a498171e9d08d SOURCES/v0.2.6.tar.gz

View File

@ -0,0 +1,133 @@
From dd05dbe742384dd22f4a63889c56cb75e4e2f571 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 9 Nov 2021 18:04:39 +0100
Subject: [PATCH] Make sure each section of the inspect exists before accessing
Fixes: https://github.com/containers/udica/issues/105,
https://github.com/containers/udica/issues/103
Inspired by:
https://github.com/WellIDKRealy/udica/commit/0c56d98b8c58a8a4ceb89b04d700c834c13778fd
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
udica/parse.py | 62 ++++++++++++++++++++++++++++++++++++++------------
1 file changed, 48 insertions(+), 14 deletions(-)
diff --git a/udica/parse.py b/udica/parse.py
index 0797095..59b3dc5 100644
--- a/udica/parse.py
+++ b/udica/parse.py
@@ -29,6 +29,24 @@ ENGINE_DOCKER = "docker"
ENGINE_ALL = [ENGINE_PODMAN, ENGINE_CRIO, ENGINE_DOCKER]
+# Decorator for verifying that getting value from "data" won't
+# result in Key error or Type error
+# e.g. in data[0]["HostConfig"]["Devices"]
+# missing "HostConfig" key in data[0] produces KeyError and
+# data[0]["HostConfig"] == none produces TypeError
+def getter_decorator(function):
+ # Verify that each element in path exists and return the corresponding value,
+ # otherwise return [] -- can be safely processed by iterators
+ def wrapper(self, data, *args):
+ try:
+ value = function(self, data, *args)
+ return value if value else []
+ except (KeyError, TypeError):
+ return []
+
+ return wrapper
+
+
def json_is_podman_or_docker_format(json_rep):
"""Check if the inspected file is in a format from docker or podman.
@@ -91,19 +109,22 @@ class EngineHelper(abc.ABC):
def get_caps(self, data, opts):
if opts["Caps"]:
- if opts["Caps"] == "None":
+ if opts["Caps"] in ["None", "none"]:
return []
return opts["Caps"].split(",")
return []
class PodmanDockerHelper(EngineHelper):
+ @getter_decorator
def get_devices(self, data):
return data[0]["HostConfig"]["Devices"]
+ @getter_decorator
def get_mounts(self, data):
return data[0]["Mounts"]
+ @getter_decorator
def get_ports(self, data):
ports = []
for key, value in data[0]["NetworkSettings"]["Ports"].items():
@@ -120,8 +141,13 @@ class PodmanHelper(PodmanDockerHelper):
def __init__(self):
super().__init__(ENGINE_PODMAN)
+ @getter_decorator
def get_caps(self, data, opts):
- if not opts["Caps"]:
+ if opts["Caps"]:
+ return (
+ opts["Caps"].split(",") if opts["Caps"] not in ["None", "none"] else []
+ )
+ else:
return data[0]["EffectiveCaps"]
return []
@@ -138,18 +164,25 @@ class DockerHelper(PodmanDockerHelper):
def adjust_json_from_docker(self, json_rep):
"""If the json comes from a docker call, we need to adjust it to make use
of it."""
-
- if not isinstance(json_rep[0]["NetworkSettings"]["Ports"], dict):
- raise Exception(
- "Error parsing docker engine inspection JSON structure, try to specify container engine using '--container-engine' parameter"
- )
-
- for item in json_rep[0]["Mounts"]:
- item["source"] = item["Source"]
- if item["Mode"] == "rw":
- item["options"] = "rw"
- if item["Mode"] == "ro":
- item["options"] = "ro"
+ try:
+ if not isinstance(json_rep[0]["NetworkSettings"]["Ports"], dict):
+ raise Exception(
+ "Error parsing docker engine inspection JSON structure, try to specify container engine using '--container-engine' parameter"
+ )
+ except (KeyError, TypeError):
+ # "Ports" not specified in given json file
+ pass
+
+ try:
+ for item in json_rep[0]["Mounts"]:
+ item["source"] = item["Source"]
+ if item["Mode"] == "rw":
+ item["options"] = "rw"
+ if item["Mode"] == "ro":
+ item["options"] = "ro"
+ except (KeyError, TypeError):
+ # "Mounts" not specified in given json file
+ pass
class CrioHelper(EngineHelper):
@@ -161,6 +194,7 @@ class CrioHelper(EngineHelper):
# bind mounting device on the container
return []
+ @getter_decorator
def get_mounts(self, data):
return data["status"]["mounts"]
--
2.30.2

View File

@ -1,8 +1,9 @@
Summary: A tool for generating SELinux security policies for containers Summary: A tool for generating SELinux security policies for containers
Name: udica Name: udica
Version: 0.2.1 Version: 0.2.6
Release: 2%{?dist} Release: 30%{?dist}
Source0: https://github.com/containers/udica/archive/v%{version}.tar.gz Source0: https://github.com/containers/udica/archive/v%{version}.tar.gz
Patch0: 0001-Make-sure-each-section-of-the-inspect-exists-before-.patch
License: GPLv3+ License: GPLv3+
BuildArch: noarch BuildArch: noarch
Url: https://github.com/containers/udica Url: https://github.com/containers/udica
@ -13,13 +14,15 @@ Requires: python3 python3-libsemanage python3-libselinux
BuildRequires: python2 python2-devel python2-setuptools BuildRequires: python2 python2-devel python2-setuptools
Requires: python2 libsemanage-python libselinux-python Requires: python2 libsemanage-python libselinux-python
%endif %endif
# container-selinux provides policy templates
Requires: container-selinux >= 2.168.0-2
%description %description
Tool for generating SELinux security profiles for containers based on Tool for generating SELinux security profiles for containers based on
inspection of container JSON file. inspection of container JSON file.
%prep %prep
%setup -q %autosetup -p 1
%build %build
%if 0%{?fedora} || 0%{?rhel} > 7 %if 0%{?fedora} || 0%{?rhel} > 7
@ -29,8 +32,6 @@ inspection of container JSON file.
%endif %endif
%install %install
install --directory %%{buildroot}%{_datadir}/udica/templates
%if 0%{?fedora} || 0%{?rhel} > 7 %if 0%{?fedora} || 0%{?rhel} > 7
%{__python3} setup.py install --single-version-externally-managed --root=%{buildroot} %{__python3} setup.py install --single-version-externally-managed --root=%{buildroot}
%else %else
@ -45,9 +46,7 @@ install -m 0644 udica/man/man8/udica.8 %{buildroot}%{_mandir}/man8/udica.8
%{_bindir}/udica %{_bindir}/udica
%dir %{_datadir}/udica %dir %{_datadir}/udica
%dir %{_datadir}/udica/ansible %dir %{_datadir}/udica/ansible
%dir %{_datadir}/udica/templates
%{_datadir}/udica/ansible/* %{_datadir}/udica/ansible/*
%{_datadir}/udica/templates/*
%if 0%{?fedora} || 0%{?rhel} > 7 %if 0%{?fedora} || 0%{?rhel} > 7
%license LICENSE %license LICENSE
@ -60,29 +59,109 @@ install -m 0644 udica/man/man8/udica.8 %{buildroot}%{_mandir}/man8/udica.8
%endif %endif
%changelog %changelog
* Tue Nov 26 2019 Jindrich Novy <jnovy@redhat.com> - 0.2.1-2 * Fri Jan 27 2023 Vit Mojzis <vmojzis@redhat.com> - 0.2.6-30
- initial import to container-tools 8.2.0 - Bump release to preserve upgrade path (#2160401)
- Related: RHELPLAN-25139
* Wed Dec 01 2021 Vit Mojzis <vmojzis@redhat.com> - 0.2.6-4
- Make sure each section of the inspect exists before accessing (#2027656)
* Tue Sep 21 2021 Vit Mojzis <vmojzis@redhat.com> - 0.2.6-3
- Require container-selinux shipping policy templates (#2000051)
* Fri Sep 17 2021 Jindrich Novy <jnovy@redhat.com> - 0.2.6-2
- use RHEL-9 product version for gating
- Related: #2000051
* Thu Sep 16 2021 Jindrich Novy <jnovy@redhat.com> - 0.2.6-1
- update to https://github.com/containers/udica/releases/tag/v0.2.6
- Related: #2000051
* Fri Sep 03 2021 Jindrich Novy <jnovy@redhat.com> - 0.2.5-2
- New rebase https://github.com/containers/udica/releases/tag/v0.2.5 (#1995041)
- Replace capability dictionary with str.lower()
- Enable udica to generate policies with fifo class
- Sort container inspect data before processing
- Update templates to work properly with new cil parser
- Related: #2000051
* Wed Aug 25 2021 Vit Mojzis <vmojzis@redhat.com> - 0.2.5-1
- New rebase https://github.com/containers/udica/releases/tag/v0.2.5 (#1995046)
- Replace capability dictionary with str.lower()
- Enable udica to generate policies with fifo class
- Sort container inspect data before processing
- Update templates to work properly with new cil parser
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 0.2.4-9
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Mon Jun 14 2021 Jindrich Novy <jnovy@redhat.com> - 0.2.4-8
- remove %%check again and all related BRs
* Mon Jun 14 2021 Jindrich Novy <jnovy@redhat.com> - 0.2.4-7
- remove black from BR
* Mon Jun 14 2021 Jindrich Novy <jnovy@redhat.com> - 0.2.4-6
- Add missing BR
- Related: #1970747
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.2.4-5
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Tue Mar 16 2021 Vit Mojzis <vmojzis@redhat.com> - 0.2.4-4
- Remove %%check section
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.2.4-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Sun Dec 13 2020 Lukas Vrabec <lvrabec@redhat.com> - 0.2.4-2
- Add %%check section to run basic tests during rpm build process
* Wed Nov 25 2020 Lukas Vrabec <lvrabec@redhat.com> - 0.2.4-1
- New rebase https://github.com/containers/udica/releases/tag/v0.2.4
* Thu Aug 13 2020 Lukas Vrabec <lvrabec@redhat.com> - 0.2.3-1
- New rebase https://github.com/containers/udica/releases/tag/v0.2.3
* Mon Aug 03 2020 Lukas Vrabec <lvrabec@redhat.com> - 0.2.2-1
- New rebase https://github.com/containers/udica/releases/tag/v0.2.2
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.2.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 0.2.1-3
- Rebuilt for Python 3.9
* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.2.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Oct 25 2019 Lukas Vrabec <lvrabec@redhat.com> - 0.2.1-1 * Fri Oct 25 2019 Lukas Vrabec <lvrabec@redhat.com> - 0.2.1-1
- New rebase https://github.com/containers/udica/releases/tag/v0.2.0 - New rebase https://github.com/containers/udica/releases/tag/v0.2.1
Resolves: rhbz#1757693
* Wed Oct 02 2019 Lukas Vrabec <lvrabec@redhat.com> - 0.2.0-1 * Wed Sep 25 2019 Lukas Vrabec <lvrabec@redhat.com> - 0.2.0-1
- New rebase https://github.com/containers/udica/releases/tag/v0.2.0 - New rebase https://github.com/containers/udica/releases/tag/v0.2.0
Resolves: rhbz#1757693
* Wed Aug 28 2019 Lukas Vrabec <lvrabec@redhat.com> - 0.1.9-1
- Update tests test_basic.podman.cil, test_basic.docker.cil. Round 2
- New rebase https://github.com/containers/udica/releases/tag/v0.1.9
* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 0.1.8-3
- Rebuilt for Python 3.8
* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.8-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Thu Jul 11 2019 Lukas Vrabec <lvrabec@redhat.com> - 0.1.8-1 * Thu Jul 11 2019 Lukas Vrabec <lvrabec@redhat.com> - 0.1.8-1
- Udica supports podman version 1.4.0+ - New rebase https://github.com/containers/udica/releases/tag/v0.1.8
Resolves: rhbz#1729115
* Fri May 17 2019 Lukas Vrabec <lvrabec@redhat.com> - 0.1.6-1 * Wed Jun 12 2019 Lukas Vrabec <lvrabec@redhat.com> - 0.1.7-1
- Update testsuite from upstream release - New rebase with upstream adding new param --ansible, to generate ansible playbook for deploying policies. https://github.com/containers/udica/releases/tag/v0.1.7
Resolves: rhbz#1673643
* Wed May 15 2019 Lukas Vrabec <lvrabec@redhat.com> - 0.1.5-2 * Thu May 16 2019 Lukas Vrabec <lvrabec@redhat.com> - 0.1.6-1
- Bump release because of gating tests - New rebase with upstream adding new tests
* Tue Apr 30 2019 Lukas Vrabec <lvrabec@redhat.com> - 0.1.5-2
- Add allow rules for container_runtime_t to base_container.cil, Podman version 1.2.0 requires new allow rules.
* Fri Apr 19 2019 Lukas Vrabec <lvrabec@redhat.com> - 0.1.5-1 * Fri Apr 19 2019 Lukas Vrabec <lvrabec@redhat.com> - 0.1.5-1
- Create mock selinux and semanage module - Create mock selinux and semanage module
- Update testing section in README - Update testing section in README