From 7f3af609028622f89b3ffefa2f4e919958e91f8c Mon Sep 17 00:00:00 2001 From: Maksim An Date: Tue, 15 Mar 2022 23:50:08 -0700 Subject: [PATCH] Add handling of ENTRYPOINT and CMD when "command" not in policy Container images may contain ENTRYPOINT and CMD directives and in the case when "command" is missing in policy config, that information needs to be inferred from the image itself. Signed-off-by: Maksim An --- .../tools/securitypolicy/helpers/helpers.go | 20 +++++++++++++++++++ .../tools/securitypolicy/helpers/helpers.go | 20 +++++++++++++++++++ 2 files changed, 40 insertions(+) diff --git a/internal/tools/securitypolicy/helpers/helpers.go b/internal/tools/securitypolicy/helpers/helpers.go index 614e5c10e8..309ba3f320 100644 --- a/internal/tools/securitypolicy/helpers/helpers.go +++ b/internal/tools/securitypolicy/helpers/helpers.go @@ -92,6 +92,19 @@ func ParseWorkingDirFromImage(img v1.Image) (string, error) { return "/", nil } +// ParseCommandFromImage inspects the image and returns the command args, which +// is a combination of ENTRYPOINT and CMD Docker directives. +func ParseCommandFromImage(img v1.Image) ([]string, error) { + imgConfig, err := img.ConfigFile() + if err != nil { + return nil, err + } + + cmdArgs := imgConfig.Config.Entrypoint + cmdArgs = append(cmdArgs, imgConfig.Config.Cmd...) + return cmdArgs, nil +} + // PolicyContainersFromConfigs returns a slice of securitypolicy.Container generated // from a slice of securitypolicy.ContainerConfig's func PolicyContainersFromConfigs(containerConfigs []securitypolicy.ContainerConfig) ([]*securitypolicy.Container, error) { @@ -118,6 +131,13 @@ func PolicyContainersFromConfigs(containerConfigs []securitypolicy.ContainerConf return nil, err } + commandArgs := containerConfig.Command + if len(commandArgs) == 0 { + commandArgs, err = ParseCommandFromImage(img) + if err != nil { + return nil, err + } + } // add rules for all known environment variables from the configuration // these are in addition to "other rules" from the policy definition file envVars, err := ParseEnvFromImage(img) diff --git a/test/vendor/github.com/Microsoft/hcsshim/internal/tools/securitypolicy/helpers/helpers.go b/test/vendor/github.com/Microsoft/hcsshim/internal/tools/securitypolicy/helpers/helpers.go index 614e5c10e8..309ba3f320 100644 --- a/test/vendor/github.com/Microsoft/hcsshim/internal/tools/securitypolicy/helpers/helpers.go +++ b/test/vendor/github.com/Microsoft/hcsshim/internal/tools/securitypolicy/helpers/helpers.go @@ -92,6 +92,19 @@ func ParseWorkingDirFromImage(img v1.Image) (string, error) { return "/", nil } +// ParseCommandFromImage inspects the image and returns the command args, which +// is a combination of ENTRYPOINT and CMD Docker directives. +func ParseCommandFromImage(img v1.Image) ([]string, error) { + imgConfig, err := img.ConfigFile() + if err != nil { + return nil, err + } + + cmdArgs := imgConfig.Config.Entrypoint + cmdArgs = append(cmdArgs, imgConfig.Config.Cmd...) + return cmdArgs, nil +} + // PolicyContainersFromConfigs returns a slice of securitypolicy.Container generated // from a slice of securitypolicy.ContainerConfig's func PolicyContainersFromConfigs(containerConfigs []securitypolicy.ContainerConfig) ([]*securitypolicy.Container, error) { @@ -118,6 +131,13 @@ func PolicyContainersFromConfigs(containerConfigs []securitypolicy.ContainerConf return nil, err } + commandArgs := containerConfig.Command + if len(commandArgs) == 0 { + commandArgs, err = ParseCommandFromImage(img) + if err != nil { + return nil, err + } + } // add rules for all known environment variables from the configuration // these are in addition to "other rules" from the policy definition file envVars, err := ParseEnvFromImage(img)