C-WCOW: Move securitycontext dir to securitypolicy pkg

Signed-off-by: Mahati Chamarthy <[email protected]>

Author: MahatiC

internal/gcs-sidecar/handlers.go

@@ -104,48 +104,12 @@ func (b *Bridge) createContainer(req *request) (err error) {
 				b.hostState.RemoveContainer(ctx, containerID)
 			}
 		}(err)
-		// Write security policy, signed UVM reference and host AMD certificate to
-		// container's rootfs, so that application and sidecar containers can have
-		// access to it. The security policy is required by containers which need to
-		// extract init-time claims found in the security policy. The directory path
-		// containing the files is exposed via UVM_SECURITY_CONTEXT_DIR env var.
-		// It may be an error to have a security policy but not expose it to the
-		// container as in that case it can never be checked as correct by a verifier.
-		if oci.ParseAnnotationsBool(ctx, spec.Annotations, annotations.WCOWSecurityPolicyEnv, true) {
-			encodedPolicy := b.hostState.securityOptions.PolicyEnforcer.EncodedSecurityPolicy()
-			hostAMDCert := spec.Annotations[annotations.WCOWHostAMDCertificate]
-			if len(encodedPolicy) > 0 || len(hostAMDCert) > 0 || len(b.hostState.securityOptions.UvmReferenceInfo) > 0 {
-				// Use os.MkdirTemp to make sure that the directory is unique.
-				securityContextDir, err := os.MkdirTemp(spec.Root.Path, securitypolicy.SecurityContextDirTemplate)
-				if err != nil {
-					return fmt.Errorf("failed to create security context directory: %w", err)
-				}
-				// Make sure that files inside directory are readable
-				if err := os.Chmod(securityContextDir, 0755); err != nil {
-					return fmt.Errorf("failed to chmod security context directory: %w", err)
-				}
 
-				if len(encodedPolicy) > 0 {
-					if err := writeFileInDir(securityContextDir, securitypolicy.PolicyFilename, []byte(encodedPolicy), 0777); err != nil {
-						return fmt.Errorf("failed to write security policy: %w", err)
-					}
-				}
-				if len(b.hostState.securityOptions.UvmReferenceInfo) > 0 {
-					if err := writeFileInDir(securityContextDir, securitypolicy.ReferenceInfoFilename, []byte(b.hostState.securityOptions.UvmReferenceInfo), 0777); err != nil {
-						return fmt.Errorf("failed to write UVM reference info: %w", err)
-					}
-				}
-
-				if len(hostAMDCert) > 0 {
-					if err := writeFileInDir(securityContextDir, securitypolicy.HostAMDCertFilename, []byte(hostAMDCert), 0777); err != nil {
-						return fmt.Errorf("failed to write host AMD certificate: %w", err)
-					}
-				}
-
-				containerCtxDir := fmt.Sprintf("/%s", filepath.Base(securityContextDir))
-				secCtxEnv := fmt.Sprintf("UVM_SECURITY_CONTEXT_DIR=%s", containerCtxDir)
-				spec.Process.Env = append(spec.Process.Env, secCtxEnv)
+		if oci.ParseAnnotationsBool(ctx, spec.Annotations, annotations.WCOWSecurityPolicyEnv, true) {
+			if err := b.hostState.securityOptions.WriteSecurityContextDir(&spec); err != nil {
+				return fmt.Errorf("failed to write security context dir: %w", err)
 			}
+			cwcowHostedSystemConfig.Spec = spec
 		}
 
 		// Strip the spec field
@@ -190,20 +154,6 @@ func (b *Bridge) createContainer(req *request) (err error) {
 	return nil
 }
 
-func writeFileInDir(dir string, filename string, data []byte, perm os.FileMode) error {
-	st, err := os.Stat(dir)
-	if err != nil {
-		return err
-	}
-
-	if !st.IsDir() {
-		return fmt.Errorf("not a directory %q", dir)
-	}
-
-	targetFilename := filepath.Join(dir, filename)
-	return os.WriteFile(targetFilename, data, perm)
-}
-
 // processParamEnvToOCIEnv converts an Environment field from ProcessParameters
 // (a map from environment variable to value) into an array of environment
 // variable assignments (where each is in the form "<variable>=<value>") which

internal/guest/runtime/hcsv2/uvm.go

@@ -481,47 +481,9 @@ func (h *Host) CreateContainer(ctx context.Context, id string, settings *prot.VM
 		settings.OCISpecification.Process.Capabilities = capsToKeep
 	}
 
-	// Write security policy, signed UVM reference and host AMD certificate to
-	// container's rootfs, so that application and sidecar containers can have
-	// access to it. The security policy is required by containers which need to
-	// extract init-time claims found in the security policy. The directory path
-	// containing the files is exposed via UVM_SECURITY_CONTEXT_DIR env var.
-	// It may be an error to have a security policy but not expose it to the
-	// container as in that case it can never be checked as correct by a verifier.
 	if oci.ParseAnnotationsBool(ctx, settings.OCISpecification.Annotations, annotations.LCOWSecurityPolicyEnv, true) {
-		encodedPolicy := h.securityOptions.PolicyEnforcer.EncodedSecurityPolicy()
-		hostAMDCert := settings.OCISpecification.Annotations[annotations.LCOWHostAMDCertificate]
-		if len(encodedPolicy) > 0 || len(hostAMDCert) > 0 || len(h.securityOptions.UvmReferenceInfo) > 0 {
-			// Use os.MkdirTemp to make sure that the directory is unique.
-			securityContextDir, err := os.MkdirTemp(settings.OCISpecification.Root.Path, securitypolicy.SecurityContextDirTemplate)
-			if err != nil {
-				return nil, fmt.Errorf("failed to create security context directory: %w", err)
-			}
-			// Make sure that files inside directory are readable
-			if err := os.Chmod(securityContextDir, 0755); err != nil {
-				return nil, fmt.Errorf("failed to chmod security context directory: %w", err)
-			}
-
-			if len(encodedPolicy) > 0 {
-				if err := writeFileInDir(securityContextDir, securitypolicy.PolicyFilename, []byte(encodedPolicy), 0744); err != nil {
-					return nil, fmt.Errorf("failed to write security policy: %w", err)
-				}
-			}
-			if len(h.securityOptions.UvmReferenceInfo) > 0 {
-				if err := writeFileInDir(securityContextDir, securitypolicy.ReferenceInfoFilename, []byte(h.securityOptions.UvmReferenceInfo), 0744); err != nil {
-					return nil, fmt.Errorf("failed to write UVM reference info: %w", err)
-				}
-			}
-
-			if len(hostAMDCert) > 0 {
-				if err := writeFileInDir(securityContextDir, securitypolicy.HostAMDCertFilename, []byte(hostAMDCert), 0744); err != nil {
-					return nil, fmt.Errorf("failed to write host AMD certificate: %w", err)
-				}
-			}
-
-			containerCtxDir := fmt.Sprintf("/%s", filepath.Base(securityContextDir))
-			secCtxEnv := fmt.Sprintf("UVM_SECURITY_CONTEXT_DIR=%s", containerCtxDir)
-			settings.OCISpecification.Process.Env = append(settings.OCISpecification.Process.Env, secCtxEnv)
+		if err := h.securityOptions.WriteSecurityContextDir(settings.OCISpecification); err != nil {
+			return nil, fmt.Errorf("failed to write security context dir: %w", err)
 		}
 	}
 
@@ -1254,20 +1216,6 @@ func isPrivilegedContainerCreationRequest(ctx context.Context, spec *specs.Spec)
 	return oci.ParseAnnotationsBool(ctx, spec.Annotations, annotations.LCOWPrivileged, false)
 }
 
-func writeFileInDir(dir string, filename string, data []byte, perm os.FileMode) error {
-	st, err := os.Stat(dir)
-	if err != nil {
-		return err
-	}
-
-	if !st.IsDir() {
-		return fmt.Errorf("not a directory %q", dir)
-	}
-
-	targetFilename := filepath.Join(dir, filename)
-	return os.WriteFile(targetFilename, data, perm)
-}
-
 // Virtual Pod Management Methods
 
 // InitializeVirtualPodSupport sets up the parent cgroup for virtual pods

pkg/securitypolicy/securitypolicy_options.go

@@ -15,6 +15,8 @@ import (
 	didx509resolver "github.com/Microsoft/didx509go/pkg/did-x509-resolver"
 	"github.com/Microsoft/hcsshim/internal/log"
 	"github.com/Microsoft/hcsshim/internal/protocol/guestresource"
+	"github.com/Microsoft/hcsshim/pkg/annotations"
+	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
@@ -147,3 +149,63 @@ func (s *SecurityOptions) InjectFragment(ctx context.Context, fragment *guestres
 	}
 	return nil
 }
+
+func writeFileInDir(dir string, filename string, data []byte, perm os.FileMode) error {
+	st, err := os.Stat(dir)
+	if err != nil {
+		return err
+	}
+
+	if !st.IsDir() {
+		return fmt.Errorf("not a directory %q", dir)
+	}
+
+	targetFilename := filepath.Join(dir, filename)
+	return os.WriteFile(targetFilename, data, perm)
+}
+
+// Write security policy, signed UVM reference and host AMD certificate to
+// container's rootfs, so that application and sidecar containers can have
+// access to it. The security policy is required by containers which need to
+// extract init-time claims found in the security policy. The directory path
+// containing the files is exposed via UVM_SECURITY_CONTEXT_DIR env var.
+// It may be an error to have a security policy but not expose it to the
+// container as in that case it can never be checked as correct by a verifier.
+func (s *SecurityOptions) WriteSecurityContextDir(spec *specs.Spec) error {
+	encodedPolicy := s.PolicyEnforcer.EncodedSecurityPolicy()
+	hostAMDCert := spec.Annotations[annotations.WCOWHostAMDCertificate]
+	if len(encodedPolicy) > 0 || len(hostAMDCert) > 0 || len(s.UvmReferenceInfo) > 0 {
+		// Use os.MkdirTemp to make sure that the directory is unique.
+		securityContextDir, err := os.MkdirTemp(spec.Root.Path, SecurityContextDirTemplate)
+		if err != nil {
+			return fmt.Errorf("failed to create security context directory: %w", err)
+		}
+		// Make sure that files inside directory are readable
+		if err := os.Chmod(securityContextDir, 0755); err != nil {
+			return fmt.Errorf("failed to chmod security context directory: %w", err)
+		}
+
+		if len(encodedPolicy) > 0 {
+			if err := writeFileInDir(securityContextDir, PolicyFilename, []byte(encodedPolicy), 0777); err != nil {
+				return fmt.Errorf("failed to write security policy: %w", err)
+			}
+		}
+		if len(s.UvmReferenceInfo) > 0 {
+			if err := writeFileInDir(securityContextDir, ReferenceInfoFilename, []byte(s.UvmReferenceInfo), 0777); err != nil {
+				return fmt.Errorf("failed to write UVM reference info: %w", err)
+			}
+		}
+
+		if len(hostAMDCert) > 0 {
+			if err := writeFileInDir(securityContextDir, HostAMDCertFilename, []byte(hostAMDCert), 0777); err != nil {
+				return fmt.Errorf("failed to write host AMD certificate: %w", err)
+			}
+		}
+
+		containerCtxDir := fmt.Sprintf("/%s", filepath.Base(securityContextDir))
+		secCtxEnv := fmt.Sprintf("UVM_SECURITY_CONTEXT_DIR=%s", containerCtxDir)
+		spec.Process.Env = append(spec.Process.Env, secCtxEnv)
+
+	}
+	return nil
+}