diff --git a/internal/guest/runtime/hcsv2/uvm.go b/internal/guest/runtime/hcsv2/uvm.go index 1fd5981c27..64d47cb764 100644 --- a/internal/guest/runtime/hcsv2/uvm.go +++ b/internal/guest/runtime/hcsv2/uvm.go @@ -73,7 +73,7 @@ func NewHost(rtime runtime.Runtime, vsock transport.Transport) *Host { // so we first have to remove the base64 encoding that allows // the JSON based policy to be passed as a string. From there, // we decode the JSON and setup our security policy state -func (h *Host) SetSecurityPolicy(base64_policy string) error { +func (h *Host) SetSecurityPolicy(base64Policy string) error { h.policyMutex.Lock() defer h.policyMutex.Unlock() if h.securityPolicyEnforcerSet { @@ -84,16 +84,18 @@ func (h *Host) SetSecurityPolicy(base64_policy string) error { // its base64 encoded because it is coming from an annotation // annotations are a map of string to string // we want to store a complex json object so.... base64 it is - jsonPolicy, err := base64.StdEncoding.DecodeString(base64_policy) + jsonPolicy, err := base64.StdEncoding.DecodeString(base64Policy) if err != nil { return errors.Wrap(err, "unable to decode policy from Base64 format") } // json unmarshall the decoded to a SecurityPolicy - securityPolicy := &securitypolicy.SecurityPolicy{} - json.Unmarshal(jsonPolicy, securityPolicy) + var securityPolicy securitypolicy.SecurityPolicy + if err := json.Unmarshal(jsonPolicy, &securityPolicy); err != nil { + return errors.Wrap(err, "unable to unmarshal policy") + } - p, err := securitypolicy.NewSecurityPolicyEnforcer(securityPolicy) + p, err := securitypolicy.NewSecurityPolicyEnforcer(&securityPolicy) if err != nil { return err } diff --git a/internal/uvm/security_policy.go b/internal/uvm/security_policy.go index e826b6d679..02af81d2b8 100644 --- a/internal/uvm/security_policy.go +++ b/internal/uvm/security_policy.go @@ -24,6 +24,10 @@ func (uvm *UtilityVM) SetSecurityPolicy(ctx context.Context, policy string) erro return errNotSupported } + if policy == "" { + return nil + } + uvm.m.Lock() defer uvm.m.Unlock()