rego: Allow sending SIGTERM and SIGKILL to the container init process in old policies #2540
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
micromaomao
force-pushed
the
tingmao_github/gcs-fix-kill
branch
from
698ae5c to
57928e5
Compare
micromaomao
force-pushed
the
tingmao_github/gcs-fix-kill
branch
from
57928e5 to
3795301
Compare
… in old policies We used to allow SIGTERM/SIGKILL the container init process even if the container's signals list is empty due to a bug fixed in microsoft#2538. However, because our tooling has been generating policies with an empty signals list, we need to special case this for old policies to maintain backwards compatibility. Update framework.rego to have SIGTERM and SIGKILL as default kill signals for init process for framework API versions "0.4.1" and below. Newer policies must explicitly have these signals present, otherwise sending signal will be denied. Signed-off-by: Tingmao Wang <tingmaowang@microsoft.com> Co-authored-by: Maksim An <maksiman@microsoft.com>
… is denied
This happens if the container.signals list contains relevant signals, but the
process's signals list does not allow the signal.
Old:
{"decision":"deny","input":{"argList":["/bin/sleep","infinity"],"containerID":"0971693a04cdd4f2eeefc569754b5cd8046ec0b7c7ed6899bb3dec0dd45ba735","isInitProcess":false,"rule":"signal_container_process","signal":9},"reason":{"errors":[]}}
Now:
{"decision":"deny","input":{"argList":["/bin/sleep","infinity"],"containerID":"3873bfc939e2415892b5b74a7b1dbade0f7222e266df43df85968ddda59be56e","isInitProcess":false,"rule":"signal_container_process","signal":9},"reason":{"errors":["target isn't allowed to receive the signal"]}}
Signed-off-by: Tingmao Wang <tingmaowang@microsoft.com>
micromaomao
force-pushed
the
tingmao_github/gcs-fix-kill
branch
from
3795301 to
5e02034
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We used to allow SIGTERM/SIGKILL the container init process even if the
container's signals list is empty due to a bug fixed in #2538. However, because
our tooling has been generating policies with an empty signals list, we need to
special case this for old policies to maintain backwards compatibility.
Update framework.rego to have SIGTERM and SIGKILL as default kill signals for
init process for framework API versions "0.4.1" and below. Newer policies must
explicitly have these signals present, otherwise sending signal will be denied.
TODO: decide what to do with ShutdownGraceful/ShutdownForced - currently
this is another way to send SIGTERM / KILL that bypasses rego policy check