microsoft · anmaxvl · Sep 10, 2021 · Sep 9, 2021
diff --git a/internal/guest/runtime/hcsv2/uvm.go b/internal/guest/runtime/hcsv2/uvm.go
@@ -5,7 +5,6 @@ package hcsv2
 import (
 	"bufio"
 	"context"
-	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"os"
@@ -80,22 +79,13 @@ func (h *Host) SetSecurityPolicy(base64Policy string) error {
 		return errors.New("security policy has already been set")
 	}
 
-	// base64 decode the incoming policy string
-	// its base64 encoded because it is coming from an annotation
-	// annotations are a map of string to string
-	// we want to store a complex json object so.... base64 it is
-	jsonPolicy, err := base64.StdEncoding.DecodeString(base64Policy)
+	// construct security policy state
+	securityPolicyState, err := securitypolicy.NewSecurityPolicyState(base64Policy)
 	if err != nil {
-		return errors.Wrap(err, "unable to decode policy from Base64 format")
-	}
-
-	// json unmarshall the decoded to a SecurityPolicy
-	var securityPolicy securitypolicy.SecurityPolicy
-	if err := json.Unmarshal(jsonPolicy, &securityPolicy); err != nil {
-		return errors.Wrap(err, "unable to unmarshal policy")
+		return err
 	}
 
-	p, err := securitypolicy.NewSecurityPolicyEnforcer(&securityPolicy)
+	p, err := securitypolicy.NewSecurityPolicyEnforcer(*securityPolicyState)
 	if err != nil {
 		return err
 	}

diff --git a/internal/tools/securitypolicy/README.md b/internal/tools/securitypolicy/README.md
@@ -34,66 +34,73 @@ represented in JSON.
 ```json
 {
   "allow_all": false,
-  "containers": [
-    {
-      "command": [
-        "/pause"
-      ],
-      "env_rules": [
-        {
+  "num_containers": 2,
+  "containers": {
+    "0": {
+      "num_commands": 2,
+      "command": {
+        "0": "rustc",
+        "1": "--help"
+      },
+      "num_env_rules": 6,
+      "env_rules": {
+        "0": {
           "strategy": "string",
-          "rule": "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+          "rule": "PATH=/usr/local/cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
         },
-        {
+        "1": {
           "strategy": "string",
-          "rule": "TERM=xterm"
-        }
-      ],
-      "layers": [
-        "16b514057a06ad665f92c02863aca074fd5976c755d26bff16365299169e8415"
-      ]
-    },
-    {
-      "command": [
-        "rustc",
-        "--help"
-      ],
-      "env_rules": [
-        {
-          "strategy": "re2",
-          "rule": "PREFIX_.+=.+"
+          "rule": "RUSTUP_HOME=/usr/local/rustup"
         },
-        {
+        "2": {
           "strategy": "string",
-          "rule": "TERM=xterm"
+          "rule": "CARGO_HOME=/usr/local/cargo"
         },
-        {
+        "3": {
           "strategy": "string",
-          "rule": "PATH=/usr/local/cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+          "rule": "RUST_VERSION=1.52.1"
         },
-        {
+        "4": {
           "strategy": "string",
-          "rule": "RUSTUP_HOME=/usr/local/rustup"
+          "rule": "TERM=xterm"
         },
-        {
+        "5": {
+          "strategy": "re2",
+          "rule": "PREFIX_.+=.+"
+        }
+      },
+      "num_layers": 6,
+      "layers": {
+        "0": "fe84c9d5bfddd07a2624d00333cf13c1a9c941f3a261f13ead44fc6a93bc0e7a",
+        "1": "4dedae42847c704da891a28c25d32201a1ae440bce2aecccfa8e6f03b97a6a6c",
+        "2": "41d64cdeb347bf236b4c13b7403b633ff11f1cf94dbc7cf881a44d6da88c5156",
+        "3": "eb36921e1f82af46dfe248ef8f1b3afb6a5230a64181d960d10237a08cd73c79",
+        "4": "e769d7487cc314d3ee748a4440805317c19262c7acd2fdbdb0d47d2e4613a15c",
+        "5": "1b80f120dbd88e4355d6241b519c3e25290215c469516b49dece9cf07175a766"
+      }
+    },
+    "1": {
+      "num_commands": 1,
+      "command": {
+        "0": "/pause"
+      },
+      "num_env_rules": 2,
+      "env_rules": {
+        "0": {
           "strategy": "string",
-          "rule": "CARGO_HOME=/usr/local/cargo"
+          "rule": "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
         },
-        {
+        "1": {
           "strategy": "string",
-          "rule": "RUST_VERSION=1.52.1"
+          "rule": "TERM=xterm"
         }
-      ],
-      "layers": [
-        "fe84c9d5bfddd07a2624d00333cf13c1a9c941f3a261f13ead44fc6a93bc0e7a",
-        "4dedae42847c704da891a28c25d32201a1ae440bce2aecccfa8e6f03b97a6a6c",
-        "41d64cdeb347bf236b4c13b7403b633ff11f1cf94dbc7cf881a44d6da88c5156",
-        "eb36921e1f82af46dfe248ef8f1b3afb6a5230a64181d960d10237a08cd73c79",
-        "e769d7487cc314d3ee748a4440805317c19262c7acd2fdbdb0d47d2e4613a15c",
-        "1b80f120dbd88e4355d6241b519c3e25290215c469516b49dece9cf07175a766"
-      ]
+      },
+      "num_layers": 1,
+      "layers": {
+        "0": "16b514057a06ad665f92c02863aca074fd5976c755d26bff16365299169e8415"
+      }
     }
-  ]
+  }
 }
 ```
 

diff --git a/internal/tools/securitypolicy/main.go b/internal/tools/securitypolicy/main.go
@@ -8,6 +8,7 @@ import (
 	"io/ioutil"
 	"os"
 	"regexp"
+	"strconv"
 
 	"github.com/BurntSushi/toml"
 	"github.com/Microsoft/hcsshim/ext4/dmverity"
@@ -102,7 +103,9 @@ func createOpenDoorPolicy() sp.SecurityPolicy {
 }
 
 func createPolicyFromConfig(config Config) (sp.SecurityPolicy, error) {
-	p := sp.SecurityPolicy{}
+	p := sp.SecurityPolicy{
+		Containers: map[string]sp.SecurityPolicyContainer{},
+	}
 
 	var imageOptions []remote.Option
 	if len(*username) != 0 && len(*password) != 0 {
@@ -129,10 +132,13 @@ func createPolicyFromConfig(config Config) (sp.SecurityPolicy, error) {
 			return p, err
 		}
 
+		command := convertCommand(image.Command)
+		envRules := convertEnvironmentVariableRules(image.EnvRules)
 		container := sp.SecurityPolicyContainer{
-			Command:  image.Command,
-			EnvRules: convertEnvironmentVariableRules(image.EnvRules),
-			Layers:   []string{},
+			NumCommands: len(command),
+			Command:     command,
+			EnvRules:    envRules,
+			Layers:      map[string]string{},
 		}
 		ref, err := name.ParseReference(image.Name)
 		if err != nil {
@@ -181,9 +187,11 @@ func createPolicyFromConfig(config Config) (sp.SecurityPolicy, error) {
 			}
 			hash := dmverity.RootHash(tree)
 			hashString := fmt.Sprintf("%x", hash)
-			container.Layers = append(container.Layers, hashString)
+			container.Layers = addLayer(container.Layers, hashString)
 		}
 
+		container.NumLayers = len(layers)
+
 		// add rules for all known environment variables from the configuration
 		// these are in addition to "other rules" from the policy definition file
 		config, err := img.ConfigFile()
@@ -196,7 +204,7 @@ func createPolicyFromConfig(config Config) (sp.SecurityPolicy, error) {
 				Rule:     env,
 			}
 
-			container.EnvRules = append(container.EnvRules, rule)
+			container.EnvRules = addEnvRule(container.EnvRules, rule)
 		}
 
 		// cri adds TERM=xterm for all workload containers. we add to all containers
@@ -206,11 +214,14 @@ func createPolicyFromConfig(config Config) (sp.SecurityPolicy, error) {
 			Rule:     "TERM=xterm",
 		}
 
-		container.EnvRules = append(container.EnvRules, rule)
+		container.EnvRules = addEnvRule(container.EnvRules, rule)
+		container.NumEnvRules = len(container.EnvRules)
 
-		p.Containers = append(p.Containers, container)
+		p.Containers = addContainer(p.Containers, container)
 	}
 
+	p.NumContainers = len(p.Containers)
+
 	return p, nil
 }
 
@@ -228,17 +239,51 @@ func validateEnvRules(rules []EnvironmentVariableRule) error {
 	return nil
 }
 
-func convertEnvironmentVariableRules(toml []EnvironmentVariableRule) []sp.SecurityPolicyEnvironmentVariableRule {
-	json := make([]sp.SecurityPolicyEnvironmentVariableRule, len(toml))
+func convertCommand(toml []string) map[string]string {
+	json := map[string]string{}
+
+	for i, arg := range toml {
+		json[strconv.Itoa(i)] = arg
+	}
+
+	return json
+}
+
+func convertEnvironmentVariableRules(toml []EnvironmentVariableRule) map[string]sp.SecurityPolicyEnvironmentVariableRule {
+	json := map[string]sp.SecurityPolicyEnvironmentVariableRule{}
 
 	for i, rule := range toml {
 		jsonRule := sp.SecurityPolicyEnvironmentVariableRule{
 			Strategy: rule.Strategy,
 			Rule:     rule.Rule,
 		}
 
-		json[i] = jsonRule
+		json[strconv.Itoa(i)] = jsonRule
 	}
 
 	return json
 }
+
+func addContainer(containers map[string]sp.SecurityPolicyContainer, container sp.SecurityPolicyContainer) map[string]sp.SecurityPolicyContainer {
+	index := strconv.Itoa(len(containers))
+
+	containers[index] = container
+
+	return containers
+}
+
+func addLayer(layers map[string]string, layer string) map[string]string {
+	index := strconv.Itoa(len(layers))
+
+	layers[index] = layer
+
+	return layers
+}
+
+func addEnvRule(rules map[string]sp.SecurityPolicyEnvironmentVariableRule, rule sp.SecurityPolicyEnvironmentVariableRule) map[string]sp.SecurityPolicyEnvironmentVariableRule {
+	index := strconv.Itoa(len(rules))
+
+	rules[index] = rule
+
+	return rules
+}