Merged PR 12878106: Small rego fixes

[cherry-picked from 0ca40bb4f130b3508f4a130011463070328d40d0]

- rego: Fix missing error reason when mounting a rw device to an existing mount point.

  This fixes a missing error message introduced in the last round of security
  fixes.  It's not hugely important, but eases debugging if we get policy
  denials on mounting the scratch, for whatever reason.  Also adds test for it.

- Remove a no-op from rego

  Checked with @<Matthew Johnson (AR)> earlier that this basically does nothing
  and is just something left over.  However I will not actually add a remove op
  for `metadata.started` for now.

This PR is targeting the conf-aci branch on ADO because the commit being fixed
is not on main yet.  This should be backported to main together with the fixes
from last month.

Signed-off-by: Tingmao Wang <[email protected]>

Author: micromaomao

pkg/securitypolicy/framework.rego

@@ -901,7 +901,7 @@ exec_in_container := {"metadata": [updateMatches],
 
 default shutdown_container := {"allowed": false}
 
-shutdown_container := {"started": remove, "metadata": [remove], "allowed": true} {
+shutdown_container := {"metadata": [remove], "allowed": true} {
     container_started
     remove := {
         "name": "matches",
@@ -1313,7 +1313,7 @@ errors["deviceHash not found"] {
 }
 
 errors["device already mounted at path"] {
-    input.rule == "mount_device"
+    input.rule in ["mount_device", "rw_mount_device"]
     device_mounted(input.target)
 }
 

pkg/securitypolicy/regopolicy_linux_test.go

@@ -378,7 +378,7 @@ func Test_Rego_EnforceDeviceMountPolicy_InvalidMountTarget_PathTraversal(t *test
 	assertDecisionJSONContains(t, err, "mountpoint invalid")
 }
 
-func deviceMountUnmountTest(t *testing.T, p *generatedConstraints, policy *regoEnforcer, mountScratchFirst, unmountScratchFirst, testInvalidUnmount bool) bool {
+func deviceMountUnmountTest(t *testing.T, p *generatedConstraints, policy *regoEnforcer, mountScratchFirst, unmountScratchFirst, testDenials bool) bool {
 	container := selectContainerFromContainerList(p.containers, testRand)
 	containerID := testDataGenerator.uniqueContainerID()
 	rotarget := testDataGenerator.uniqueLayerMountTarget()
@@ -414,6 +414,18 @@ func deviceMountUnmountTest(t *testing.T, p *generatedConstraints, policy *regoE
 		}
 	}
 
+	if testDenials {
+		err = policy.EnforceRWDeviceMountPolicy(p.ctx, rwtarget, true, true, "xfs")
+		if !assertDecisionJSONContains(t, err, "device already mounted at path") {
+			return false
+		}
+
+		err = policy.EnforceDeviceMountPolicy(p.ctx, rotarget, container.Layers[0])
+		if !assertDecisionJSONContains(t, err, "device already mounted at path") {
+			return false
+		}
+	}
+
 	unmountScratch := func() bool {
 		err = policy.EnforceRWDeviceUnmountPolicy(p.ctx, rwtarget)
 		if err != nil {
@@ -442,7 +454,7 @@ func deviceMountUnmountTest(t *testing.T, p *generatedConstraints, policy *regoE
 		}
 	}
 
-	if testInvalidUnmount {
+	if testDenials {
 		err = policy.EnforceDeviceUnmountPolicy(p.ctx, rotarget)
 		if !assertDecisionJSONContains(t, err, "no device at path to unmount") {
 			return false