Merge pull request kata-containers#10291 from microsoft/danmihai1/use…

…r-name-to-uid genpolicy: fix and re-enable create container UID verification
Sumynwa · Sep 12, 2024 · e937cb1 · e937cb1
2 parents 614328f + 0c5ac04
commit e937cb1
Show file tree

Hide file tree

Showing 7 changed files with 312 additions and 107 deletions.
diff --git a/src/tools/genpolicy/Cargo.lock b/src/tools/genpolicy/Cargo.lock
diff --git a/src/tools/genpolicy/Cargo.toml b/src/tools/genpolicy/Cargo.toml
@@ -69,5 +69,8 @@ tonic = "0.9.2"
 tower = "0.4.13"
 containerd-client = "0.4.0"
 
+# username to UID:GID mapping support
+tar = "0.4.41"
+
 [dev-dependencies]
 regorus = { version = "0.1.4", default-features = false, features = ["arc", "regex"]}
diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
@@ -540,9 +540,8 @@ allow_user(p_process, i_process) {
     p_user := p_process.User
     i_user := i_process.User
 
-    # TODO: remove this workaround when fixing https://github.com/kata-containers/kata-containers/issues/9928.
-    #print("allow_user: input uid =", i_user.UID, "policy uid =", p_user.UID)
-    #p_user.UID == i_user.UID
+    print("allow_user: input uid =", i_user.UID, "policy uid =", p_user.UID)
+    p_user.UID == i_user.UID
 
     # TODO: track down the reason for registry.k8s.io/pause:3.9 being
     #       executed with gid = 0 despite having "65535:65535" in its container image