Tags: rlmyfs/hcsshim
Tags
rego policy enforcer should use the same user parsing logic as GCS (m… …icrosoft#2405) This PR fixes a discrepancy between user info handling between GCS and rego policy enforcer. For example, GCS doesn't require the user/group to exist in container's /etc/passwd and /etc/group and has a fallback to UID and GID 0, when the user is absent. Rego enforcer's `GetUserInfo`, however, always tries to lookup user/group in /etc/passwd and /etc/group and returns an error when the UID doesn't exist. This behavior is inconsistent with non confidential LCOW workloads and fixed in this PR. To avoid circular imports, the spec.go and spec_devices.go under `internal/guest/runtime/hcsv2` have been moved under `internal/guest/spec` and the dependent code updated accordingly. As a result a bunch of methods are now exported, but still under `internal`, so this shouldn't cause problems. User parsing has been updated and split into `ParseUserStr`, which returns UID and GID for a given `username` string and `SetUserStr`, which just sets the UID and GID for the OCI process. Rego enforcer's `GetUserInfo` now prioritizes the result of `ParseUserStr` and fallbacks to the previous behavior of UID/GID lookup in container's filesystem. Signed-off-by: Maksim An <maksiman@microsoft.com>
Omnibus dependabot update (microsoft#2347) * Omnibus dependabot update Consolidate and resolve the dependabot PRs (mostly handle nested module): - 2267 - 2296 - 2307 - 2315 - 2323 - 2324 - 2333 - 2334 - 2335 - 2336 - 2339 - 2340 - 2341 - 2345 (https://github.com/microsoft/hcsshim/security/dependabot/113) - 2346 (https://github.com/microsoft/hcsshim/security/dependabot/115) Two commits: first is core updates, second is module tidy and vendor, along with (protobuf) file regen. Signed-off-by: Hamza El-Saawy <hamzaelsaawy@microsoft.com> * go mod tidy and vendor, protobuf update Replace deprecated `github.com/opencontainers/runc/libcontainer/user` with `github.com/moby/sys/user` (which it is an alias for). Signed-off-by: Hamza El-Saawy <hamzaelsaawy@microsoft.com> --------- Signed-off-by: Hamza El-Saawy <hamzaelsaawy@microsoft.com>
Update containerd to v1.7.23 (microsoft#2295) Signed-off-by: Derek McGowan <derek@mcg.dev>
Merge pull request microsoft#2293 from dmcgowan/update-containerd-1.7.23 Update containerd to v1.7.23
Update the retracted version of github.com/veraison/go-cose Signed-off-by: Kirtana Ashok <kiashok@microsoft.com>
Omnibus dependency updates (microsoft#2051) Consolidate dependabot updates: - github.com/microsoft/pull/2050 - github.com/microsoft/pull/2048 - github.com/microsoft/pull/2047 - github.com/microsoft/pull/2046 - github.com/microsoft/pull/2045 - github.com/microsoft/pull/2044 - github.com/microsoft/pull/2043 - github.com/microsoft/pull/2042 Signed-off-by: Hamza El-Saawy <hamzaelsaawy@microsoft.com> (cherry picked from commit 060de7c) Signed-off-by: Kirtana Ashok <kiashok@microsoft.com>
PreviousNext