forked from microsoft/regorus
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathpolicy.rego
89 lines (84 loc) · 4.39 KB
/
policy.rego
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.
package policy
api_version := "0.10.0"
framework_version := "0.3.0"
fragments := [
{"issuer": "did:web:contoso.com", "feed": "contoso.azurecr.io/infra", "minimum_svn": "1", "includes": ["containers"]},
]
containers := [
{
"command": ["rustc","--help"],
"env_rules": [{"pattern": `PATH=/usr/local/cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin`, "strategy": "string", "required": true},{"pattern": `RUSTUP_HOME=/usr/local/rustup`, "strategy": "string", "required": true},{"pattern": `CARGO_HOME=/usr/local/cargo`, "strategy": "string", "required": true},{"pattern": `RUST_VERSION=1.52.1`, "strategy": "string", "required": true},{"pattern": `TERM=xterm`, "strategy": "string", "required": false},{"pattern": `PREFIX_.+=.+`, "strategy": "re2", "required": false}],
"layers": ["fe84c9d5bfddd07a2624d00333cf13c1a9c941f3a261f13ead44fc6a93bc0e7a","4dedae42847c704da891a28c25d32201a1ae440bce2aecccfa8e6f03b97a6a6c","41d64cdeb347bf236b4c13b7403b633ff11f1cf94dbc7cf881a44d6da88c5156","eb36921e1f82af46dfe248ef8f1b3afb6a5230a64181d960d10237a08cd73c79","e769d7487cc314d3ee748a4440805317c19262c7acd2fdbdb0d47d2e4613a15c","1b80f120dbd88e4355d6241b519c3e25290215c469516b49dece9cf07175a766"],
"mounts": [{"destination": "/container/path/one", "options": ["rbind","rshared","rw"], "source": "sandbox:///host/path/one", "type": "bind"},{"destination": "/container/path/two", "options": ["rbind","rshared","ro"], "source": "sandbox:///host/path/two", "type": "bind"}],
"exec_processes": [{"command": ["top"], "signals": []}],
"signals": [],
"user": {
"user_idname": {"pattern": ``, "strategy": "any"},
"group_idnames": [{"pattern": ``, "strategy": "any"}],
"umask": "0022"
},
"capabilities": {
"bounding": ["CAP_SYS_ADMIN"],
"effective": ["CAP_SYS_ADMIN"],
"inheritable": ["CAP_SYS_ADMIN"],
"permitted": ["CAP_SYS_ADMIN"],
"ambient": ["CAP_SYS_ADMIN"],
},
"seccomp_profile_sha256": "",
"allow_elevated": true,
"working_dir": "/home/user",
"allow_stdio_access": false,
"no_new_privileges": true,
},
{
"command": ["/pause"],
"env_rules": [{"pattern": `PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin`, "strategy": "string", "required": true},{"pattern": `TERM=xterm`, "strategy": "string", "required": false}],
"layers": ["16b514057a06ad665f92c02863aca074fd5976c755d26bff16365299169e8415"],
"mounts": [],
"exec_processes": [],
"signals": [],
"user": {
"user_idname": {"pattern": ``, "strategy": "any"},
"group_idnames": [{"pattern": ``, "strategy": "any"}],
"umask": "0022"
},
"capabilities": null,
"seccomp_profile_sha256": "",
"allow_elevated": false,
"working_dir": "/",
"allow_stdio_access": false,
"no_new_privileges": true,
},
]
external_processes := [
{"command": ["bash"], "env_rules": [{"pattern": `PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin`, "strategy": "string", "required": true}], "working_dir": "/", "allow_stdio_access": false},
]
allow_properties_access := false
allow_dump_stacks := false
allow_runtime_logging := false
allow_environment_variable_dropping := false
allow_unencrypted_scratch := false
allow_capability_dropping := true
mount_device := data.framework.mount_device
unmount_device := data.framework.unmount_device
mount_overlay := data.framework.mount_overlay
unmount_overlay := data.framework.unmount_overlay
create_container := data.framework.create_container
exec_in_container := data.framework.exec_in_container
exec_external := data.framework.exec_external
shutdown_container := data.framework.shutdown_container
signal_container_process := data.framework.signal_container_process
plan9_mount := data.framework.plan9_mount
plan9_unmount := data.framework.plan9_unmount
get_properties := data.framework.get_properties
dump_stacks := data.framework.dump_stacks
runtime_logging := data.framework.runtime_logging
load_fragment := data.framework.load_fragment
scratch_mount := data.framework.scratch_mount
scratch_unmount := data.framework.scratch_unmount
reason := {
"errors": data.framework.errors,
"error_objects": data.framework.error_objects,
}