From d5d7af64a5652d24206732e67990bb597fb35a5e Mon Sep 17 00:00:00 2001 From: "Sean T. Allen" Date: Mon, 20 Sep 2021 13:28:20 -0400 Subject: [PATCH] Rename variable in SecurityPolicyEnforcer Once upon a time, naming the variable that represented the type as "policyState" made sense, it no longer does. At Maksim's suggestion, this commit renames from "policyState" to "pe" which is short for "policy enforcer". Signed-off-by: Sean T. Allen --- pkg/securitypolicy/securitypolicyenforcer.go | 78 +++++++++---------- .../securitypolicy/securitypolicyenforcer.go | 78 +++++++++---------- 2 files changed, 78 insertions(+), 78 deletions(-) diff --git a/pkg/securitypolicy/securitypolicyenforcer.go b/pkg/securitypolicy/securitypolicyenforcer.go index 235b52f0ad..2e465b5946 100644 --- a/pkg/securitypolicy/securitypolicyenforcer.go +++ b/pkg/securitypolicy/securitypolicyenforcer.go @@ -185,11 +185,11 @@ func stringMapToStringArray(in map[string]string) []string { return out } -func (policyState *StandardSecurityPolicyEnforcer) EnforceDeviceMountPolicy(target string, deviceHash string) (err error) { - policyState.mutex.Lock() - defer policyState.mutex.Unlock() +func (pe *StandardSecurityPolicyEnforcer) EnforceDeviceMountPolicy(target string, deviceHash string) (err error) { + pe.mutex.Lock() + defer pe.mutex.Unlock() - if len(policyState.Containers) < 1 { + if len(pe.Containers) < 1 { return errors.New("policy doesn't allow mounting containers") } @@ -199,10 +199,10 @@ func (policyState *StandardSecurityPolicyEnforcer) EnforceDeviceMountPolicy(targ found := false - for i, container := range policyState.Containers { + for i, container := range pe.Containers { for ii, layer := range container.Layers { if deviceHash == layer { - policyState.Devices[i][ii] = target + pe.Devices[i][ii] = target found = true } } @@ -215,11 +215,11 @@ func (policyState *StandardSecurityPolicyEnforcer) EnforceDeviceMountPolicy(targ return nil } -func (policyState *StandardSecurityPolicyEnforcer) EnforceDeviceUnmountPolicy(unmountTarget string) (err error) { - policyState.mutex.Lock() - defer policyState.mutex.Unlock() +func (pe *StandardSecurityPolicyEnforcer) EnforceDeviceUnmountPolicy(unmountTarget string) (err error) { + pe.mutex.Lock() + defer pe.mutex.Unlock() - for _, container := range policyState.Devices { + for _, container := range pe.Devices { for j, storedTarget := range container { if unmountTarget == storedTarget { container[j] = "" @@ -230,36 +230,36 @@ func (policyState *StandardSecurityPolicyEnforcer) EnforceDeviceUnmountPolicy(un return nil } -func (policyState *StandardSecurityPolicyEnforcer) EnforceOverlayMountPolicy(containerID string, layerPaths []string) (err error) { - policyState.mutex.Lock() - defer policyState.mutex.Unlock() +func (pe *StandardSecurityPolicyEnforcer) EnforceOverlayMountPolicy(containerID string, layerPaths []string) (err error) { + pe.mutex.Lock() + defer pe.mutex.Unlock() - if len(policyState.Containers) < 1 { + if len(pe.Containers) < 1 { return errors.New("policy doesn't allow mounting containers") } - if _, e := policyState.startedContainers[containerID]; e { + if _, e := pe.startedContainers[containerID]; e { return errors.New("container has already been started") } // find maximum number of containers that could share this overlay maxPossibleContainerIdsForOverlay := 0 - for _, deviceList := range policyState.Devices { + for _, deviceList := range pe.Devices { if equalForOverlay(layerPaths, deviceList) { maxPossibleContainerIdsForOverlay++ } } if maxPossibleContainerIdsForOverlay == 0 { - errmsg := fmt.Sprintf("layerPaths '%v' doesn't match any valid layer path: '%v'", layerPaths, policyState.Devices) + errmsg := fmt.Sprintf("layerPaths '%v' doesn't match any valid layer path: '%v'", layerPaths, pe.Devices) return errors.New(errmsg) } - for i, deviceList := range policyState.Devices { + for i, deviceList := range pe.Devices { if equalForOverlay(layerPaths, deviceList) { - existing := policyState.ContainerIndexToContainerIds[i] + existing := pe.ContainerIndexToContainerIds[i] if len(existing) < maxPossibleContainerIdsForOverlay { - policyState.ContainerIndexToContainerIds[i] = append(existing, containerID) + pe.ContainerIndexToContainerIds[i] = append(existing, containerID) } else { errmsg := fmt.Sprintf("layerPaths '%v' already used in maximum number of container overlays", layerPaths) return errors.New(errmsg) @@ -270,39 +270,39 @@ func (policyState *StandardSecurityPolicyEnforcer) EnforceOverlayMountPolicy(con return nil } -func (policyState *StandardSecurityPolicyEnforcer) EnforceStartContainerPolicy(containerID string, argList []string, envList []string) (err error) { - policyState.mutex.Lock() - defer policyState.mutex.Unlock() +func (pe *StandardSecurityPolicyEnforcer) EnforceStartContainerPolicy(containerID string, argList []string, envList []string) (err error) { + pe.mutex.Lock() + defer pe.mutex.Unlock() - if len(policyState.Containers) < 1 { + if len(pe.Containers) < 1 { return errors.New("policy doesn't allow mounting containers") } - if _, e := policyState.startedContainers[containerID]; e { + if _, e := pe.startedContainers[containerID]; e { return errors.New("container has already been started") } - err = policyState.enforceCommandPolicy(containerID, argList) + err = pe.enforceCommandPolicy(containerID, argList) if err != nil { return err } - err = policyState.enforceEnvironmentVariablePolicy(containerID, envList) + err = pe.enforceEnvironmentVariablePolicy(containerID, envList) if err != nil { return err } // record that we've allowed this container to start - policyState.startedContainers[containerID] = struct{}{} + pe.startedContainers[containerID] = struct{}{} return nil } -func (policyState *StandardSecurityPolicyEnforcer) enforceCommandPolicy(containerID string, argList []string) (err error) { +func (pe *StandardSecurityPolicyEnforcer) enforceCommandPolicy(containerID string, argList []string) (err error) { // Get a list of all the indexes into our security policy's list of // containers that are possible matches for this containerID based // on the image overlay layout - possibleIndexes := possibleIndexesForID(containerID, policyState.ContainerIndexToContainerIds) + possibleIndexes := possibleIndexesForID(containerID, pe.ContainerIndexToContainerIds) // Loop through every possible match and do two things: // 1- see if any command matches. we need at least one match or @@ -311,13 +311,13 @@ func (policyState *StandardSecurityPolicyEnforcer) enforceCommandPolicy(containe // security policy whose command line isn't a match. matchingCommandFound := false for _, possibleIndex := range possibleIndexes { - cmd := policyState.Containers[possibleIndex].Command + cmd := pe.Containers[possibleIndex].Command if cmp.Equal(cmd, argList) { matchingCommandFound = true } else { // a possible matching index turned out not to match, so we // need to update that list and remove it - policyState.narrowMatchesForContainerIndex(possibleIndex, containerID) + pe.narrowMatchesForContainerIndex(possibleIndex, containerID) } } @@ -329,23 +329,23 @@ func (policyState *StandardSecurityPolicyEnforcer) enforceCommandPolicy(containe return nil } -func (policyState *StandardSecurityPolicyEnforcer) enforceEnvironmentVariablePolicy(containerID string, envList []string) (err error) { +func (pe *StandardSecurityPolicyEnforcer) enforceEnvironmentVariablePolicy(containerID string, envList []string) (err error) { // Get a list of all the indexes into our security policy's list of // containers that are possible matches for this containerID based // on the image overlay layout and command line - possibleIndexes := possibleIndexesForID(containerID, policyState.ContainerIndexToContainerIds) + possibleIndexes := possibleIndexesForID(containerID, pe.ContainerIndexToContainerIds) for _, envVariable := range envList { matchingRuleFoundForSomeContainer := false for _, possibleIndex := range possibleIndexes { - envRules := policyState.Containers[possibleIndex].EnvRules + envRules := pe.Containers[possibleIndex].EnvRules ok := envIsMatchedByRule(envVariable, envRules) if ok { matchingRuleFoundForSomeContainer = true } else { // a possible matching index turned out not to match, so we // need to update that list and remove it - policyState.narrowMatchesForContainerIndex(possibleIndex, containerID) + pe.narrowMatchesForContainerIndex(possibleIndex, containerID) } } @@ -376,15 +376,15 @@ func envIsMatchedByRule(envVariable string, rules []securityPolicyEnvironmentVar return false } -func (policyState *StandardSecurityPolicyEnforcer) narrowMatchesForContainerIndex(index int, idToRemove string) { +func (pe *StandardSecurityPolicyEnforcer) narrowMatchesForContainerIndex(index int, idToRemove string) { updatedContainerIds := []string{} - existingContainerIds := policyState.ContainerIndexToContainerIds[index] + existingContainerIds := pe.ContainerIndexToContainerIds[index] for _, id := range existingContainerIds { if id != idToRemove { updatedContainerIds = append(updatedContainerIds, id) } } - policyState.ContainerIndexToContainerIds[index] = updatedContainerIds + pe.ContainerIndexToContainerIds[index] = updatedContainerIds } func equalForOverlay(a1 []string, a2 []string) bool { diff --git a/test/vendor/github.com/Microsoft/hcsshim/pkg/securitypolicy/securitypolicyenforcer.go b/test/vendor/github.com/Microsoft/hcsshim/pkg/securitypolicy/securitypolicyenforcer.go index 235b52f0ad..2e465b5946 100644 --- a/test/vendor/github.com/Microsoft/hcsshim/pkg/securitypolicy/securitypolicyenforcer.go +++ b/test/vendor/github.com/Microsoft/hcsshim/pkg/securitypolicy/securitypolicyenforcer.go @@ -185,11 +185,11 @@ func stringMapToStringArray(in map[string]string) []string { return out } -func (policyState *StandardSecurityPolicyEnforcer) EnforceDeviceMountPolicy(target string, deviceHash string) (err error) { - policyState.mutex.Lock() - defer policyState.mutex.Unlock() +func (pe *StandardSecurityPolicyEnforcer) EnforceDeviceMountPolicy(target string, deviceHash string) (err error) { + pe.mutex.Lock() + defer pe.mutex.Unlock() - if len(policyState.Containers) < 1 { + if len(pe.Containers) < 1 { return errors.New("policy doesn't allow mounting containers") } @@ -199,10 +199,10 @@ func (policyState *StandardSecurityPolicyEnforcer) EnforceDeviceMountPolicy(targ found := false - for i, container := range policyState.Containers { + for i, container := range pe.Containers { for ii, layer := range container.Layers { if deviceHash == layer { - policyState.Devices[i][ii] = target + pe.Devices[i][ii] = target found = true } } @@ -215,11 +215,11 @@ func (policyState *StandardSecurityPolicyEnforcer) EnforceDeviceMountPolicy(targ return nil } -func (policyState *StandardSecurityPolicyEnforcer) EnforceDeviceUnmountPolicy(unmountTarget string) (err error) { - policyState.mutex.Lock() - defer policyState.mutex.Unlock() +func (pe *StandardSecurityPolicyEnforcer) EnforceDeviceUnmountPolicy(unmountTarget string) (err error) { + pe.mutex.Lock() + defer pe.mutex.Unlock() - for _, container := range policyState.Devices { + for _, container := range pe.Devices { for j, storedTarget := range container { if unmountTarget == storedTarget { container[j] = "" @@ -230,36 +230,36 @@ func (policyState *StandardSecurityPolicyEnforcer) EnforceDeviceUnmountPolicy(un return nil } -func (policyState *StandardSecurityPolicyEnforcer) EnforceOverlayMountPolicy(containerID string, layerPaths []string) (err error) { - policyState.mutex.Lock() - defer policyState.mutex.Unlock() +func (pe *StandardSecurityPolicyEnforcer) EnforceOverlayMountPolicy(containerID string, layerPaths []string) (err error) { + pe.mutex.Lock() + defer pe.mutex.Unlock() - if len(policyState.Containers) < 1 { + if len(pe.Containers) < 1 { return errors.New("policy doesn't allow mounting containers") } - if _, e := policyState.startedContainers[containerID]; e { + if _, e := pe.startedContainers[containerID]; e { return errors.New("container has already been started") } // find maximum number of containers that could share this overlay maxPossibleContainerIdsForOverlay := 0 - for _, deviceList := range policyState.Devices { + for _, deviceList := range pe.Devices { if equalForOverlay(layerPaths, deviceList) { maxPossibleContainerIdsForOverlay++ } } if maxPossibleContainerIdsForOverlay == 0 { - errmsg := fmt.Sprintf("layerPaths '%v' doesn't match any valid layer path: '%v'", layerPaths, policyState.Devices) + errmsg := fmt.Sprintf("layerPaths '%v' doesn't match any valid layer path: '%v'", layerPaths, pe.Devices) return errors.New(errmsg) } - for i, deviceList := range policyState.Devices { + for i, deviceList := range pe.Devices { if equalForOverlay(layerPaths, deviceList) { - existing := policyState.ContainerIndexToContainerIds[i] + existing := pe.ContainerIndexToContainerIds[i] if len(existing) < maxPossibleContainerIdsForOverlay { - policyState.ContainerIndexToContainerIds[i] = append(existing, containerID) + pe.ContainerIndexToContainerIds[i] = append(existing, containerID) } else { errmsg := fmt.Sprintf("layerPaths '%v' already used in maximum number of container overlays", layerPaths) return errors.New(errmsg) @@ -270,39 +270,39 @@ func (policyState *StandardSecurityPolicyEnforcer) EnforceOverlayMountPolicy(con return nil } -func (policyState *StandardSecurityPolicyEnforcer) EnforceStartContainerPolicy(containerID string, argList []string, envList []string) (err error) { - policyState.mutex.Lock() - defer policyState.mutex.Unlock() +func (pe *StandardSecurityPolicyEnforcer) EnforceStartContainerPolicy(containerID string, argList []string, envList []string) (err error) { + pe.mutex.Lock() + defer pe.mutex.Unlock() - if len(policyState.Containers) < 1 { + if len(pe.Containers) < 1 { return errors.New("policy doesn't allow mounting containers") } - if _, e := policyState.startedContainers[containerID]; e { + if _, e := pe.startedContainers[containerID]; e { return errors.New("container has already been started") } - err = policyState.enforceCommandPolicy(containerID, argList) + err = pe.enforceCommandPolicy(containerID, argList) if err != nil { return err } - err = policyState.enforceEnvironmentVariablePolicy(containerID, envList) + err = pe.enforceEnvironmentVariablePolicy(containerID, envList) if err != nil { return err } // record that we've allowed this container to start - policyState.startedContainers[containerID] = struct{}{} + pe.startedContainers[containerID] = struct{}{} return nil } -func (policyState *StandardSecurityPolicyEnforcer) enforceCommandPolicy(containerID string, argList []string) (err error) { +func (pe *StandardSecurityPolicyEnforcer) enforceCommandPolicy(containerID string, argList []string) (err error) { // Get a list of all the indexes into our security policy's list of // containers that are possible matches for this containerID based // on the image overlay layout - possibleIndexes := possibleIndexesForID(containerID, policyState.ContainerIndexToContainerIds) + possibleIndexes := possibleIndexesForID(containerID, pe.ContainerIndexToContainerIds) // Loop through every possible match and do two things: // 1- see if any command matches. we need at least one match or @@ -311,13 +311,13 @@ func (policyState *StandardSecurityPolicyEnforcer) enforceCommandPolicy(containe // security policy whose command line isn't a match. matchingCommandFound := false for _, possibleIndex := range possibleIndexes { - cmd := policyState.Containers[possibleIndex].Command + cmd := pe.Containers[possibleIndex].Command if cmp.Equal(cmd, argList) { matchingCommandFound = true } else { // a possible matching index turned out not to match, so we // need to update that list and remove it - policyState.narrowMatchesForContainerIndex(possibleIndex, containerID) + pe.narrowMatchesForContainerIndex(possibleIndex, containerID) } } @@ -329,23 +329,23 @@ func (policyState *StandardSecurityPolicyEnforcer) enforceCommandPolicy(containe return nil } -func (policyState *StandardSecurityPolicyEnforcer) enforceEnvironmentVariablePolicy(containerID string, envList []string) (err error) { +func (pe *StandardSecurityPolicyEnforcer) enforceEnvironmentVariablePolicy(containerID string, envList []string) (err error) { // Get a list of all the indexes into our security policy's list of // containers that are possible matches for this containerID based // on the image overlay layout and command line - possibleIndexes := possibleIndexesForID(containerID, policyState.ContainerIndexToContainerIds) + possibleIndexes := possibleIndexesForID(containerID, pe.ContainerIndexToContainerIds) for _, envVariable := range envList { matchingRuleFoundForSomeContainer := false for _, possibleIndex := range possibleIndexes { - envRules := policyState.Containers[possibleIndex].EnvRules + envRules := pe.Containers[possibleIndex].EnvRules ok := envIsMatchedByRule(envVariable, envRules) if ok { matchingRuleFoundForSomeContainer = true } else { // a possible matching index turned out not to match, so we // need to update that list and remove it - policyState.narrowMatchesForContainerIndex(possibleIndex, containerID) + pe.narrowMatchesForContainerIndex(possibleIndex, containerID) } } @@ -376,15 +376,15 @@ func envIsMatchedByRule(envVariable string, rules []securityPolicyEnvironmentVar return false } -func (policyState *StandardSecurityPolicyEnforcer) narrowMatchesForContainerIndex(index int, idToRemove string) { +func (pe *StandardSecurityPolicyEnforcer) narrowMatchesForContainerIndex(index int, idToRemove string) { updatedContainerIds := []string{} - existingContainerIds := policyState.ContainerIndexToContainerIds[index] + existingContainerIds := pe.ContainerIndexToContainerIds[index] for _, id := range existingContainerIds { if id != idToRemove { updatedContainerIds = append(updatedContainerIds, id) } } - policyState.ContainerIndexToContainerIds[index] = updatedContainerIds + pe.ContainerIndexToContainerIds[index] = updatedContainerIds } func equalForOverlay(a1 []string, a2 []string) bool {