From eb3e6a0b13c09121ae879503dcf5364e20269b7b Mon Sep 17 00:00:00 2001 From: Stavros Volos Date: Fri, 5 Nov 2021 17:05:16 +0000 Subject: [PATCH 1/3] security policy appended to environment variables so that containers can have access to it at runtime Signed-off-by: Stavros Volos --- internal/guest/runtime/hcsv2/uvm.go | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/internal/guest/runtime/hcsv2/uvm.go b/internal/guest/runtime/hcsv2/uvm.go index 9b2f2a1924..919febf62e 100644 --- a/internal/guest/runtime/hcsv2/uvm.go +++ b/internal/guest/runtime/hcsv2/uvm.go @@ -209,6 +209,21 @@ func (h *Host) CreateContainer(ctx context.Context, id string, settings *prot.VM }() } + // Export security policy as one of the process's environment variables so that application and sidecar + // containers can have access to it. security policy is required by attestation containers which need to + // verify the attestation report feched from the PSP and extract init-time attestation claims found in + // the security policy. In doing so, an attestation container needs to confirm that the hash digest of + // the report's host_data attribute matches the hash digest of the security policy. + // + // We append the variable after the security policy enforcing logic completes so as to bypass it; the + // security policy variable cannot be included in the security policy as its value is not available + // security policy construction time. + policyEnforcer, ok := (h.securityPolicyEnforcer).(*securitypolicy.StandardSecurityPolicyEnforcer) + if ok { + secPolicyEnv := fmt.Sprintf("SECURITY_POLICY=%s", policyEnforcer.EncodedSecurityPolicy) + settings.OCISpecification.Process.Env = append(settings.OCISpecification.Process.Env, secPolicyEnv) + } + // Create the BundlePath if err := os.MkdirAll(settings.OCIBundlePath, 0700); err != nil { return nil, errors.Wrapf(err, "failed to create OCIBundlePath: '%s'", settings.OCIBundlePath) From 5bbe7f5b25eafa603461981419c37544ca9c8b60 Mon Sep 17 00:00:00 2001 From: Stavros Volos Date: Thu, 11 Nov 2021 17:50:59 +0000 Subject: [PATCH 2/3] policyEnforcer casting part of the if statement Signed-off-by: Stavros Volos --- internal/guest/runtime/hcsv2/uvm.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/guest/runtime/hcsv2/uvm.go b/internal/guest/runtime/hcsv2/uvm.go index 919febf62e..24f8440ae3 100644 --- a/internal/guest/runtime/hcsv2/uvm.go +++ b/internal/guest/runtime/hcsv2/uvm.go @@ -218,8 +218,8 @@ func (h *Host) CreateContainer(ctx context.Context, id string, settings *prot.VM // We append the variable after the security policy enforcing logic completes so as to bypass it; the // security policy variable cannot be included in the security policy as its value is not available // security policy construction time. - policyEnforcer, ok := (h.securityPolicyEnforcer).(*securitypolicy.StandardSecurityPolicyEnforcer) - if ok { + + if policyEnforcer, ok := (h.securityPolicyEnforcer).(*securitypolicy.StandardSecurityPolicyEnforcer); ok { secPolicyEnv := fmt.Sprintf("SECURITY_POLICY=%s", policyEnforcer.EncodedSecurityPolicy) settings.OCISpecification.Process.Env = append(settings.OCISpecification.Process.Env, secPolicyEnv) } From 3751f0754e6a751a2491254742f10791b31af5fd Mon Sep 17 00:00:00 2001 From: Stavros Volos Date: Thu, 11 Nov 2021 18:06:23 +0000 Subject: [PATCH 3/3] re[hrase comment on the security policy environment variable Signed-off-by: Stavros Volos --- internal/guest/runtime/hcsv2/uvm.go | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/internal/guest/runtime/hcsv2/uvm.go b/internal/guest/runtime/hcsv2/uvm.go index 24f8440ae3..b1ec2c1001 100644 --- a/internal/guest/runtime/hcsv2/uvm.go +++ b/internal/guest/runtime/hcsv2/uvm.go @@ -210,10 +210,8 @@ func (h *Host) CreateContainer(ctx context.Context, id string, settings *prot.VM } // Export security policy as one of the process's environment variables so that application and sidecar - // containers can have access to it. security policy is required by attestation containers which need to - // verify the attestation report feched from the PSP and extract init-time attestation claims found in - // the security policy. In doing so, an attestation container needs to confirm that the hash digest of - // the report's host_data attribute matches the hash digest of the security policy. + // containers can have access to it. The security policy is required by containers which need to extract + // init-time claims found in the security policy. // // We append the variable after the security policy enforcing logic completes so as to bypass it; the // security policy variable cannot be included in the security policy as its value is not available