rego: Allow sending SIGTERM and SIGKILL to the container init process in old policies (#2540)

micromaomao · anmaxvl · web-flow · commit 04d91ee2e7d5 · 2026-01-13T22:26:09.000-08:00
* rego: Allow sending SIGTERM and SIGKILL to the container init process in old policies We used to allow SIGTERM/SIGKILL the container init process even if the container's signals list is empty due to a bug fixed in #2538. However, because our tooling has been generating policies with an empty signals list, we need to special case this for old policies to maintain backwards compatibility. Update framework.rego to have SIGTERM and SIGKILL as default kill signals for init process for framework API versions "0.4.1" and below. Newer policies must explicitly have these signals present, otherwise sending signal will be denied. Signed-off-by: Tingmao Wang <tingmaowang@microsoft.com> Co-authored-by: Maksim An <maksiman@microsoft.com> * Fix missing denial reason when a signal request to a non-init process is denied This happens if the container.signals list contains relevant signals, but the process's signals list does not allow the signal. Old: {"decision":"deny","input":{"argList":["/bin/sleep","infinity"],"containerID":"0971693a04cdd4f2eeefc569754b5cd8046ec0b7c7ed6899bb3dec0dd45ba735","isInitProcess":false,"rule":"signal_container_process","signal":9},"reason":{"errors":[]}} Now: {"decision":"deny","input":{"argList":["/bin/sleep","infinity"],"containerID":"3873bfc939e2415892b5b74a7b1dbade0f7222e266df43df85968ddda59be56e","isInitProcess":false,"rule":"signal_container_process","signal":9},"reason":{"errors":["target isn't allowed to receive the signal"]}} Signed-off-by: Tingmao Wang <tingmaowang@microsoft.com> --------- Signed-off-by: Tingmao Wang <tingmaowang@microsoft.com> Co-authored-by: Maksim An <maksiman@microsoft.com>
diff --git a/pkg/securitypolicy/framework.rego b/pkg/securitypolicy/framework.rego
@@ -1488,11 +1488,13 @@ errors[mountError] {
 default signal_allowed := false
 
 signal_allowed {
+    input.isInitProcess
     some container in data.metadata.matches[input.containerID]
     signal_ok(container.signals)
 }
 
 signal_allowed {
+    not input.isInitProcess
     some container in data.metadata.matches[input.containerID]
     some process in container.exec_processes
     command_ok(process.command)
@@ -1960,7 +1962,7 @@ check_container(raw_container, framework_version) := container {
         "allow_elevated": raw_container.allow_elevated,
         "working_dir": raw_container.working_dir,
         "exec_processes": raw_container.exec_processes,
-        "signals": raw_container.signals,
+        "signals": check_signals(raw_container, framework_version),
         "allow_stdio_access": raw_container.allow_stdio_access,
         # Additional fields need to have default logic applied
         "no_new_privileges": check_no_new_privileges(raw_container, framework_version),
@@ -2026,6 +2028,16 @@ check_seccomp_profile_sha256(raw_container, framework_version) := seccomp_profil
     seccomp_profile_sha256 := ""
 }
 
+check_signals(raw_container, framework_version) := signals {
+    semver.compare(framework_version, "0.4.1") >= 0
+    signals := raw_container.signals
+}
+
+check_signals(raw_container, framework_version) := signals {
+    semver.compare(framework_version, "0.4.1") < 0
+    signals := array.concat(raw_container.signals, [9, 15])
+}
+
 check_external_process(raw_process, framework_version) := process {
     semver.compare(framework_version, version) == 0
     process := raw_process
diff --git a/pkg/securitypolicy/version_framework b/pkg/securitypolicy/version_framework
@@ -1 +1 @@
-0.4.0
+0.4.1
