add rego integration to source policies #3539
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
Encountered this: FROM alpinepackage docker
default allow := false
allow if input.local
allow if {
input.image.hasProvenance
}
decision := {
"allow": allow
} |
Signed-off-by: Tonis Tiigi <[email protected]>
tonistiigi
force-pushed
the
opa-source-policy
branch
from
5ef9d59 to
814f646
Compare
|
@dvdksn should be fixed as part of moby/buildkit#6383 https://gist.github.com/tonistiigi/a8a1fdf39796ba484a31af18afb04bfc#file-9-provenance-dockerfile . Although it looks like there is another issue where if the image is not an OCI index, then you get a different error when parsing instead of a policy deny error. Signature keys have not been implemented yet in this PR. |
policy/types.go
Outdated
| Perm int `json:"perm,omitempty"` | ||
| UID int `json:"uid,omitempty"` | ||
| GID int `json:"gid,omitempty"` |
There was a problem hiding this comment.
Perm would always be 600 I guess - and not sure what UID/GID would show?
There was a problem hiding this comment.
Maybe we should remove them. These are options you can set in LLB that set the values for the downloaded file. But these are not exposed in Dockerfile, and if you use smth like COPY --chmod then this is actually different mode that is applied during the copy.
Signed-off-by: Tonis Tiigi <[email protected]>
Signed-off-by: Tonis Tiigi <[email protected]>
| } | ||
| dockerfileName = handleLowercaseDockerfile(dockerfileDir, dockerfileName) | ||
|
|
||
| if fi, err := os.Lstat(filepath.Join(dockerfileDir, dockerfileName+".rego")); err == nil { |
There was a problem hiding this comment.
nit: err should be returned if err != nil && !errors.Is(err, os.ErrNotExist)
e.g., EACCES
| dockerfileName = handleLowercaseDockerfile(dockerfileDir, dockerfileName) | ||
|
|
||
| if fi, err := os.Lstat(filepath.Join(dockerfileDir, dockerfileName+".rego")); err == nil { | ||
| if fi.Mode().IsRegular() { |
There was a problem hiding this comment.
Any reason to reject symlink?
There was a problem hiding this comment.
Just wanted to make sure there is no breakout here. Normally this shouldn't matter as Dockerfile path symlinks are already resolved and default policy is relative to that resolved path. But I'm ok with symlinks only for policy as well, as long as breakout cases are protected.
Signed-off-by: Tonis Tiigi <[email protected]>
Signed-off-by: Tonis Tiigi <[email protected]>
Signed-off-by: Tonis Tiigi <[email protected]>
Signed-off-by: Tonis Tiigi <[email protected]>
tonistiigi
force-pushed
the
opa-source-policy
branch
from
777ea7d to
8f7b555
Compare
|
Added new features:
New examples in https://github.com/tonistiigi/buildx-rego-examples . I needed to move away from gist as it doesn't allow pushing directories. |
3 participants
This is an early version of rego format support for defining source policies. Not ready for merge but suitable for early testing and feedback.
Currently many untested parts and unimplemented fields/builtins. I also discovered a bug with git/http metadata resolve in BuildKit that needs to be fixed for support of some fields.
For input schema see
policy/types.goatm until we expose it better.For
app.Dockerfile, matchingapp.Dockerfile.regois loaded. Only local files supported atm. This would be extended with manual control via flags and helper commands for testing.Set
export BUILDX_POLICY_DEBUG=1and use plain progress mode to see the internal input data and policy decisions. This is a temporary debug until there is better progressbar integration.Some examples in https://gist.github.com/tonistiigi/a8a1fdf39796ba484a31af18afb04bfc . BuildKit v0.26 is needed.
@crazy-max @dvdksn @cpuguy83 @colinhemmings