microsoft · dcantah · Sep 28, 2021 · Sep 21, 2021
diff --git a/internal/tools/securitypolicy/README.md b/internal/tools/securitypolicy/README.md
@@ -34,70 +34,84 @@ represented in JSON.
 ```json
 {
   "allow_all": false,
-  "num_containers": 2,
   "containers": {
-    "0": {
-      "num_commands": 2,
-      "command": {
-        "0": "rustc",
-        "1": "--help"
-      },
-      "num_env_rules": 6,
-      "env_rules": {
-        "0": {
-          "strategy": "string",
-          "rule": "PATH=/usr/local/cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-        },
-        "1": {
-          "strategy": "string",
-          "rule": "RUSTUP_HOME=/usr/local/rustup"
-        },
-        "2": {
-          "strategy": "string",
-          "rule": "CARGO_HOME=/usr/local/cargo"
-        },
-        "3": {
-          "strategy": "string",
-          "rule": "RUST_VERSION=1.52.1"
+    "length": 2,
+    "elements": {
+      "0": {
+        "command": {
+          "length": 2,
+          "elements": {
+            "0": "rustc",
+            "1": "--help"
+          }
         },
-        "4": {
-          "strategy": "string",
-          "rule": "TERM=xterm"
+        "env_rules": {
+          "length": 6,
+          "elements": {
+            "0": {
+              "strategy": "re2",
+              "rule": "PREFIX_.+=.+"
+            },
+            "1": {
+              "strategy": "string",
+              "rule": "PATH=/usr/local/cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+            },
+            "2": {
+              "strategy": "string",
+              "rule": "RUSTUP_HOME=/usr/local/rustup"
+            },
+            "3": {
+              "strategy": "string",
+              "rule": "CARGO_HOME=/usr/local/cargo"
+            },
+            "4": {
+              "strategy": "string",
+              "rule": "RUST_VERSION=1.52.1"
+            },
+            "5": {
+              "strategy": "string",
+              "rule": "TERM=xterm"
+            }
+          }
         },
-        "5": {
-          "strategy": "re2",
-          "rule": "PREFIX_.+=.+"
+        "layers": {
+          "length": 6,
+          "elements": {
+            "0": "fe84c9d5bfddd07a2624d00333cf13c1a9c941f3a261f13ead44fc6a93bc0e7a",
+            "1": "4dedae42847c704da891a28c25d32201a1ae440bce2aecccfa8e6f03b97a6a6c",
+            "2": "41d64cdeb347bf236b4c13b7403b633ff11f1cf94dbc7cf881a44d6da88c5156",
+            "3": "eb36921e1f82af46dfe248ef8f1b3afb6a5230a64181d960d10237a08cd73c79",
+            "4": "e769d7487cc314d3ee748a4440805317c19262c7acd2fdbdb0d47d2e4613a15c",
+            "5": "1b80f120dbd88e4355d6241b519c3e25290215c469516b49dece9cf07175a766"
+          }
         }
       },
-      "num_layers": 6,
-      "layers": {
-        "0": "fe84c9d5bfddd07a2624d00333cf13c1a9c941f3a261f13ead44fc6a93bc0e7a",
-        "1": "4dedae42847c704da891a28c25d32201a1ae440bce2aecccfa8e6f03b97a6a6c",
-        "2": "41d64cdeb347bf236b4c13b7403b633ff11f1cf94dbc7cf881a44d6da88c5156",
-        "3": "eb36921e1f82af46dfe248ef8f1b3afb6a5230a64181d960d10237a08cd73c79",
-        "4": "e769d7487cc314d3ee748a4440805317c19262c7acd2fdbdb0d47d2e4613a15c",
-        "5": "1b80f120dbd88e4355d6241b519c3e25290215c469516b49dece9cf07175a766"
-      }
-    },
-    "1": {
-      "num_commands": 1,
-      "command": {
-        "0": "/pause"
-      },
-      "num_env_rules": 2,
-      "env_rules": {
-        "0": {
-          "strategy": "string",
-          "rule": "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+      "1": {
+        "command": {
+          "length": 1,
+          "elements": {
+            "0": "/pause"
+          }
         },
-        "1": {
-          "strategy": "string",
-          "rule": "TERM=xterm"
+        "env_rules": {
+          "length": 2,
+          "elements": {
+            "0": {
+              "strategy": "string",
+              "rule": "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+            },
+            "1": {
+              "strategy": "string",
+              "rule": "TERM=xterm"
+            }
+          }
+        },
+        "layers": {
+          "length": 1,
+          "elements": {
+            "0": "16b514057a06ad665f92c02863aca074fd5976c755d26bff16365299169e8415"
+          }
         }
-      },
-      "num_layers": 1,
-      "layers": {
-        "0": "16b514057a06ad665f92c02863aca074fd5976c755d26bff16365299169e8415"
       }
     }
   }

diff --git a/internal/tools/securitypolicy/main.go b/internal/tools/securitypolicy/main.go
@@ -13,7 +13,7 @@ import (
 	"github.com/BurntSushi/toml"
 	"github.com/Microsoft/hcsshim/ext4/dmverity"
 	"github.com/Microsoft/hcsshim/ext4/tar2ext4"
-	sp "github.com/Microsoft/hcsshim/pkg/securitypolicy"
+	"github.com/Microsoft/hcsshim/pkg/securitypolicy"
 	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
@@ -47,7 +47,7 @@ func main() {
 			return err
 		}
 
-		policy, err := func() (sp.SecurityPolicy, error) {
+		policy, err := func() (securitypolicy.SecurityPolicy, error) {
 			if config.AllowAll {
 				return createOpenDoorPolicy(), nil
 			} else {
@@ -79,8 +79,8 @@ func main() {
 }
 
 type EnvironmentVariableRule struct {
-	Strategy sp.EnvVarRule `toml:"strategy"`
-	Rule     string        `toml:"rule"`
+	Strategy securitypolicy.EnvVarRule `toml:"strategy"`
+	Rule     string                    `toml:"rule"`
 }
 
 type Container struct {
@@ -100,15 +100,17 @@ type Config struct {
 	Containers []Container `toml:"container"`
 }
 
-func createOpenDoorPolicy() sp.SecurityPolicy {
-	return sp.SecurityPolicy{
+func createOpenDoorPolicy() securitypolicy.SecurityPolicy {
+	return securitypolicy.SecurityPolicy{
 		AllowAll: true,
 	}
 }
 
-func createPolicyFromConfig(config Config) (sp.SecurityPolicy, error) {
-	p := sp.SecurityPolicy{
-		Containers: map[string]sp.SecurityPolicyContainer{},
+func createPolicyFromConfig(config Config) (securitypolicy.SecurityPolicy, error) {
+	p := securitypolicy.SecurityPolicy{
+		Containers: securitypolicy.Containers{
+			Elements: map[string]securitypolicy.Container{},
+		},
 	}
 
 	// Hardcode the pause container version and command. We still pull it
@@ -139,11 +141,12 @@ func createPolicyFromConfig(config Config) (sp.SecurityPolicy, error) {
 
 		command := convertCommand(configContainer.Command)
 		envRules := convertEnvironmentVariableRules(configContainer.EnvRules)
-		container := sp.SecurityPolicyContainer{
-			NumCommands: len(command),
-			Command:     command,
-			EnvRules:    envRules,
-			Layers:      map[string]string{},
+		container := securitypolicy.Container{
+			Command:  command,
+			EnvRules: envRules,
+			Layers: securitypolicy.Layers{
+				Elements: map[string]string{},
+			},
 		}
 		ref, err := name.ParseReference(configContainer.Name)
 		if err != nil {
@@ -192,48 +195,43 @@ func createPolicyFromConfig(config Config) (sp.SecurityPolicy, error) {
 			}
 			hash := dmverity.RootHash(tree)
 			hashString := fmt.Sprintf("%x", hash)
-			container.Layers = addLayer(container.Layers, hashString)
+			addLayer(&container.Layers, hashString)
 		}
 
-		container.NumLayers = len(layers)
-
 		// add rules for all known environment variables from the configuration
 		// these are in addition to "other rules" from the policy definition file
 		config, err := img.ConfigFile()
 		if err != nil {
 			return p, err
 		}
 		for _, env := range config.Config.Env {
-			rule := sp.SecurityPolicyEnvironmentVariableRule{
-				Strategy: sp.EnvVarRuleString,
+			rule := securitypolicy.EnvRule{
+				Strategy: securitypolicy.EnvVarRuleString,
 				Rule:     env,
 			}
 
-			container.EnvRules = addEnvRule(container.EnvRules, rule)
+			addEnvRule(&container.EnvRules, rule)
 		}
 
 		// cri adds TERM=xterm for all workload containers. we add to all containers
 		// to prevent any possble erroring
-		rule := sp.SecurityPolicyEnvironmentVariableRule{
-			Strategy: sp.EnvVarRuleString,
+		rule := securitypolicy.EnvRule{
+			Strategy: securitypolicy.EnvVarRuleString,
 			Rule:     "TERM=xterm",
 		}
 
-		container.EnvRules = addEnvRule(container.EnvRules, rule)
-		container.NumEnvRules = len(container.EnvRules)
+		addEnvRule(&container.EnvRules, rule)
 
-		p.Containers = addContainer(p.Containers, container)
+		addContainer(&p.Containers, container)
 	}
 
-	p.NumContainers = len(p.Containers)
-
 	return p, nil
 }
 
 func validateEnvRules(rules []EnvironmentVariableRule) error {
 	for _, rule := range rules {
 		switch rule.Strategy {
-		case sp.EnvVarRuleRegex:
+		case securitypolicy.EnvVarRuleRegex:
 			_, err := regexp.Compile(rule.Rule)
 			if err != nil {
 				return err
@@ -244,51 +242,49 @@ func validateEnvRules(rules []EnvironmentVariableRule) error {
 	return nil
 }
 
-func convertCommand(toml []string) map[string]string {
+func convertCommand(toml []string) securitypolicy.CommandArgs {
 	json := map[string]string{}
 
 	for i, arg := range toml {
 		json[strconv.Itoa(i)] = arg
 	}
 
-	return json
+	return securitypolicy.CommandArgs{
+		Elements: json,
+	}
 }
 
-func convertEnvironmentVariableRules(toml []EnvironmentVariableRule) map[string]sp.SecurityPolicyEnvironmentVariableRule {
-	json := map[string]sp.SecurityPolicyEnvironmentVariableRule{}
+func convertEnvironmentVariableRules(toml []EnvironmentVariableRule) securitypolicy.EnvRules {
+	json := map[string]securitypolicy.EnvRule{}
 
 	for i, rule := range toml {
-		jsonRule := sp.SecurityPolicyEnvironmentVariableRule{
+		jsonRule := securitypolicy.EnvRule{
 			Strategy: rule.Strategy,
 			Rule:     rule.Rule,
 		}
 
 		json[strconv.Itoa(i)] = jsonRule
 	}
 
-	return json
+	return securitypolicy.EnvRules{
+		Elements: json,
+	}
 }
 
-func addContainer(containers map[string]sp.SecurityPolicyContainer, container sp.SecurityPolicyContainer) map[string]sp.SecurityPolicyContainer {
-	index := strconv.Itoa(len(containers))
+func addContainer(containers *securitypolicy.Containers, container securitypolicy.Container) {
+	index := strconv.Itoa(len(containers.Elements))
 
-	containers[index] = container
-
-	return containers
+	containers.Elements[index] = container
 }
 
-func addLayer(layers map[string]string, layer string) map[string]string {
-	index := strconv.Itoa(len(layers))
-
-	layers[index] = layer
+func addLayer(layers *securitypolicy.Layers, layer string) {
+	index := strconv.Itoa(len(layers.Elements))
 
-	return layers
+	layers.Elements[index] = layer
 }
 
-func addEnvRule(rules map[string]sp.SecurityPolicyEnvironmentVariableRule, rule sp.SecurityPolicyEnvironmentVariableRule) map[string]sp.SecurityPolicyEnvironmentVariableRule {
-	index := strconv.Itoa(len(rules))
-
-	rules[index] = rule
+func addEnvRule(rules *securitypolicy.EnvRules, rule securitypolicy.EnvRule) {
+	index := strconv.Itoa(len(rules.Elements))
 
-	return rules
+	rules.Elements[index] = rule
 }