C-WCOW: Move InjectFragment to securitypolicy pkg

Signed-off-by: Mahati Chamarthy <[email protected]>

Author: MahatiC

internal/gcs-sidecar/handlers.go

@@ -618,7 +618,7 @@ func (b *Bridge) modifySettings(req *request) (err error) {
 			if !ok {
 				return errors.New("the request settings are not of type SecurityPolicyFragment")
 			}
-			return b.hostState.InjectFragment(ctx, r)
+			return b.hostState.securityOptions.InjectFragment(ctx, r)
 		case guestresource.ResourceTypeWCOWBlockCims:
 			// This is request to mount the merged cim at given volumeGUID
 			if modifyGuestSettingsRequest.RequestType == guestrequest.RequestTypeRemove {

internal/gcs-sidecar/host.go

@@ -5,7 +5,6 @@ package bridge
 
 import (
 	"context"
-	"fmt"
 	"io"
 	"os"
 	"path/filepath"
@@ -15,10 +14,8 @@ import (
 	hcsschema "github.com/Microsoft/hcsshim/internal/hcs/schema2"
 	"github.com/Microsoft/hcsshim/internal/log"
 	"github.com/Microsoft/hcsshim/internal/logfields"
-	oci "github.com/Microsoft/hcsshim/internal/oci"
 	"github.com/Microsoft/hcsshim/internal/protocol/guestresource"
 	"github.com/Microsoft/hcsshim/internal/pspdriver"
-	"github.com/Microsoft/hcsshim/pkg/annotations"
 	"github.com/Microsoft/hcsshim/pkg/securitypolicy"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
@@ -62,77 +59,6 @@ func NewHost(initialEnforcer securitypolicy.SecurityPolicyEnforcer, logWriter io
 	}
 }
 
-// Write security policy, signed UVM reference and host AMD certificate to
-// container's rootfs, so that application and sidecar containers can have
-// access to it. The security policy is required by containers which need to
-// extract init-time claims found in the security policy. The directory path
-// containing the files is exposed via UVM_SECURITY_CONTEXT_DIR env var.
-// It may be an error to have a security policy but not expose it to the
-// container as in that case it can never be checked as correct by a verifier.
-func (h *Host) SetupSecurityContextDir(ctx context.Context, spec *specs.Spec) error {
-	if oci.ParseAnnotationsBool(ctx, spec.Annotations, annotations.WCOWSecurityPolicyEnv, true) {
-		encodedPolicy := h.securityPolicyEnforcer.EncodedSecurityPolicy()
-		hostAMDCert := spec.Annotations[annotations.WCOWHostAMDCertificate]
-		if len(encodedPolicy) > 0 || len(hostAMDCert) > 0 || len(h.uvmReferenceInfo) > 0 {
-			// Use os.MkdirTemp to make sure that the directory is unique.
-			securityContextDir, err := os.MkdirTemp(spec.Root.Path, securitypolicy.SecurityContextDirTemplate)
-			if err != nil {
-				return fmt.Errorf("failed to create security context directory: %w", err)
-			}
-			// Make sure that files inside directory are readable
-			if err := os.Chmod(securityContextDir, 0755); err != nil {
-				return fmt.Errorf("failed to chmod security context directory: %w", err)
-			}
-
-			if len(encodedPolicy) > 0 {
-				if err := writeFileInDir(securityContextDir, securitypolicy.PolicyFilename, []byte(encodedPolicy), 0777); err != nil {
-					return fmt.Errorf("failed to write security policy: %w", err)
-				}
-			}
-			if len(h.uvmReferenceInfo) > 0 {
-				if err := writeFileInDir(securityContextDir, securitypolicy.ReferenceInfoFilename, []byte(h.uvmReferenceInfo), 0777); err != nil {
-					return fmt.Errorf("failed to write UVM reference info: %w", err)
-				}
-			}
-
-			if len(hostAMDCert) > 0 {
-				if err := writeFileInDir(securityContextDir, securitypolicy.HostAMDCertFilename, []byte(hostAMDCert), 0777); err != nil {
-					return fmt.Errorf("failed to write host AMD certificate: %w", err)
-				}
-			}
-
-			containerCtxDir := fmt.Sprintf("/%s", filepath.Base(securityContextDir))
-			secCtxEnv := fmt.Sprintf("UVM_SECURITY_CONTEXT_DIR=%s", containerCtxDir)
-			spec.Process.Env = append(spec.Process.Env, secCtxEnv)
-		}
-	}
-	return nil
-}
-
-// InjectFragment extends current security policy with additional constraints
-// from the incoming fragment. Note that it is base64 encoded over the bridge/
-//
-// There are three checking steps:
-// 1 - Unpack the cose document and check it was actually signed with the cert
-// chain inside its header
-// 2 - Check that the issuer field did:x509 identifier is for that cert chain
-// (ie fingerprint of a non leaf cert and the subject matches the leaf cert)
-// 3 - Check that this issuer/feed match the requirement of the user provided
-// security policy (done in the regoby LoadFragment)
-func (h *Host) InjectFragment(ctx context.Context, fragment *guestresource.SecurityPolicyFragment) (err error) {
-	log.G(ctx).WithField("fragment", fmt.Sprintf("%+v", fragment)).Debug("GCS Host.InjectFragment")
-	issuer, feed, payloadString, err := securitypolicy.ExtractAndVerifyFragment(ctx, fragment)
-	if err != nil {
-		return err
-	}
-	// now offer the payload fragment to the policy
-	err = h.securityOptions.PolicyEnforcer.LoadFragment(ctx, issuer, feed, payloadString)
-	if err != nil {
-		return fmt.Errorf("error loading security policy fragment: %w", err)
-	}
-	return nil
-}
-
 func (h *Host) SetWCOWConfidentialUVMOptions(ctx context.Context, securityPolicyRequest *guestresource.ConfidentialOptions) error {
 	if err := pspdriver.GetPspDriverError(); err != nil {
 		// For this case gcs-sidecar will keep initial deny policy.

internal/guest/runtime/hcsv2/uvm.go

@@ -139,30 +139,6 @@ func (h *Host) SetConfidentialUVMOptions(ctx context.Context, r *guestresource.C
 	return nil
 }
 
-// InjectFragment extends current security policy with additional constraints
-// from the incoming fragment. Note that it is base64 encoded over the bridge/
-//
-// There are three checking steps:
-// 1 - Unpack the cose document and check it was actually signed with the cert
-// chain inside its header
-// 2 - Check that the issuer field did:x509 identifier is for that cert chain
-// (ie fingerprint of a non leaf cert and the subject matches the leaf cert)
-// 3 - Check that this issuer/feed match the requirement of the user provided
-// security policy (done in the regoby LoadFragment)
-func (h *Host) InjectFragment(ctx context.Context, fragment *guestresource.SecurityPolicyFragment) (err error) {
-	log.G(ctx).WithField("fragment", fmt.Sprintf("%+v", fragment)).Debug("GCS Host.InjectFragment")
-	issuer, feed, payloadString, err := securitypolicy.ExtractAndVerifyFragment(ctx, fragment)
-	if err != nil {
-		return err
-	}
-	// now offer the payload fragment to the policy
-	err = h.securityOptions.PolicyEnforcer.LoadFragment(ctx, issuer, feed, payloadString)
-	if err != nil {
-		return fmt.Errorf("error loading security policy fragment: %w", err)
-	}
-	return nil
-}
-
 func (h *Host) SecurityPolicyEnforcer() securitypolicy.SecurityPolicyEnforcer {
 	return h.securityOptions.PolicyEnforcer
 }
@@ -764,7 +740,7 @@ func (h *Host) modifyHostSettings(ctx context.Context, containerID string, req *
 		if !ok {
 			return errors.New("the request settings are not of type SecurityPolicyFragment")
 		}
-		return h.InjectFragment(ctx, r)
+		return h.securityOptions.InjectFragment(ctx, r)
 	default:
 		return errors.Errorf("the ResourceType %q is not supported for UVM", req.ResourceType)
 	}

pkg/securitypolicy/securitypolicy_options.go

@@ -2,10 +2,19 @@ package securitypolicy
 
 import (
 	"context"
+	"crypto/sha256"
+	"encoding/base64"
 	"fmt"
 	"io"
+	"os"
+	"path/filepath"
 	"sync"
+	"time"
 
+	"github.com/Microsoft/cosesign1go/pkg/cosesign1"
+	didx509resolver "github.com/Microsoft/didx509go/pkg/did-x509-resolver"
+	"github.com/Microsoft/hcsshim/internal/log"
+	"github.com/Microsoft/hcsshim/internal/protocol/guestresource"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
@@ -70,3 +79,71 @@ func (s *SecurityOptions) SetConfidentialOptions(ctx context.Context, enforcerTy
 
 	return nil
 }
+
+// Fragment extends current security policy with additional constraints
+// from the incoming fragment. Note that it is base64 encoded over the bridge/
+//
+// There are three checking steps:
+// 1 - Unpack the cose document and check it was actually signed with the cert
+// chain inside its header
+// 2 - Check that the issuer field did:x509 identifier is for that cert chain
+// (ie fingerprint of a non leaf cert and the subject matches the leaf cert)
+// 3 - Check that this issuer/feed match the requirement of the user provided
+// security policy (done in the regoby LoadFragment)
+func (s *SecurityOptions) InjectFragment(ctx context.Context, fragment *guestresource.SecurityPolicyFragment) (err error) {
+	log.G(ctx).WithField("fragment", fmt.Sprintf("%+v", fragment)).Debug("VerifyAndExtractFragment")
+
+	raw, err := base64.StdEncoding.DecodeString(fragment.Fragment)
+	if err != nil {
+		return fmt.Errorf("failed to decode fragment: %w", err)
+	}
+	blob := []byte(fragment.Fragment)
+	// keep a copy of the fragment, so we can manually figure out what went wrong
+	// will be removed eventually. Give it a unique name to avoid any potential
+	// race conditions.
+	sha := sha256.New()
+	sha.Write(blob)
+	timestamp := time.Now()
+	fragmentPath := fmt.Sprintf("fragment-%x-%d.blob", sha.Sum(nil), timestamp.UnixMilli())
+	_ = os.WriteFile(filepath.Join(os.TempDir(), fragmentPath), blob, 0644)
+
+	unpacked, err := cosesign1.UnpackAndValidateCOSE1CertChain(raw)
+	if err != nil {
+		return fmt.Errorf("InjectFragment failed COSE validation: %w", err)
+	}
+
+	payloadString := string(unpacked.Payload[:])
+	issuer := unpacked.Issuer
+	feed := unpacked.Feed
+	chainPem := unpacked.ChainPem
+
+	log.G(ctx).WithFields(logrus.Fields{
+		"issuer":   issuer, // eg the DID:x509:blah....
+		"feed":     feed,
+		"cty":      unpacked.ContentType,
+		"chainPem": chainPem,
+	}).Debugf("unpacked COSE1 cert chain")
+
+	log.G(ctx).WithFields(logrus.Fields{
+		"payload": payloadString,
+	}).Tracef("unpacked COSE1 payload")
+
+	if len(issuer) == 0 || len(feed) == 0 { // must both be present
+		return fmt.Errorf("either issuer and feed must both be provided in the COSE_Sign1 protected header")
+	}
+
+	// Resolve returns a did doc that we don't need
+	// we only care if there was an error or not
+	_, err = didx509resolver.Resolve(unpacked.ChainPem, issuer, true)
+	if err != nil {
+		log.G(ctx).Printf("Badly formed fragment - did resolver failed to match fragment did:x509 from chain with purported issuer %s, feed %s - err %s", issuer, feed, err.Error())
+		return fmt.Errorf("failed to resolve DID: %w", err)
+	}
+
+	// now offer the payload fragment to the policy
+	err = s.PolicyEnforcer.LoadFragment(ctx, issuer, feed, payloadString)
+	if err != nil {
+		return fmt.Errorf("error loading security policy fragment: %w", err)
+	}
+	return nil
+}

pkg/securitypolicy/securitypolicyenforcer.go

@@ -2,22 +2,12 @@ package securitypolicy
 
 import (
 	"context"
-	"crypto/sha256"
-	"encoding/base64"
 	"fmt"
-	"os"
-	"path/filepath"
 	"syscall"
-	"time"
 
-	"github.com/Microsoft/cosesign1go/pkg/cosesign1"
-	didx509resolver "github.com/Microsoft/didx509go/pkg/did-x509-resolver"
-	"github.com/Microsoft/hcsshim/internal/log"
 	"github.com/Microsoft/hcsshim/internal/protocol/guestrequest"
-	"github.com/Microsoft/hcsshim/internal/protocol/guestresource"
 	oci "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
-	"github.com/sirupsen/logrus"
 )
 
 type createEnforcerFunc func(base64EncodedPolicy string, criMounts, criPrivilegedMounts []oci.Mount, maxErrorMessageLength int) (SecurityPolicyEnforcer, error)
@@ -151,69 +141,6 @@ func (s stringSet) contains(item string) bool {
 	return contains
 }
 
-// Fragment extends current security policy with additional constraints
-// from the incoming fragment. Note that it is base64 encoded over the bridge/
-//
-// There are three checking steps:
-// 1 - Unpack the cose document and check it was actually signed with the cert
-// chain inside its header
-// 2 - Check that the issuer field did:x509 identifier is for that cert chain
-// (ie fingerprint of a non leaf cert and the subject matches the leaf cert)
-// 3 - Check that this issuer/feed match the requirement of the user provided
-// security policy (done in the regoby LoadFragment)
-func ExtractAndVerifyFragment(ctx context.Context, fragment *guestresource.LCOWSecurityPolicyFragment) (issuer string, feed string, payloadString string, err error) {
-	log.G(ctx).WithField("fragment", fmt.Sprintf("%+v", fragment)).Debug("VerifyAndExtractFragment")
-
-	raw, err := base64.StdEncoding.DecodeString(fragment.Fragment)
-	if err != nil {
-		return "", "", "", fmt.Errorf("failed to decode fragment: %w", err)
-	}
-	blob := []byte(fragment.Fragment)
-	// keep a copy of the fragment, so we can manually figure out what went wrong
-	// will be removed eventually. Give it a unique name to avoid any potential
-	// race conditions.
-	sha := sha256.New()
-	sha.Write(blob)
-	timestamp := time.Now()
-	fragmentPath := fmt.Sprintf("fragment-%x-%d.blob", sha.Sum(nil), timestamp.UnixMilli())
-	_ = os.WriteFile(filepath.Join(os.TempDir(), fragmentPath), blob, 0644)
-
-	unpacked, err := cosesign1.UnpackAndValidateCOSE1CertChain(raw)
-	if err != nil {
-		return "", "", "", fmt.Errorf("InjectFragment failed COSE validation: %w", err)
-	}
-
-	payloadString = string(unpacked.Payload[:])
-	issuer = unpacked.Issuer
-	feed = unpacked.Feed
-	chainPem := unpacked.ChainPem
-
-	log.G(ctx).WithFields(logrus.Fields{
-		"issuer":   issuer, // eg the DID:x509:blah....
-		"feed":     feed,
-		"cty":      unpacked.ContentType,
-		"chainPem": chainPem,
-	}).Debugf("unpacked COSE1 cert chain")
-
-	log.G(ctx).WithFields(logrus.Fields{
-		"payload": payloadString,
-	}).Tracef("unpacked COSE1 payload")
-
-	if len(issuer) == 0 || len(feed) == 0 { // must both be present
-		return "", "", "", fmt.Errorf("either issuer and feed must both be provided in the COSE_Sign1 protected header")
-	}
-
-	// Resolve returns a did doc that we don't need
-	// we only care if there was an error or not
-	_, err = didx509resolver.Resolve(unpacked.ChainPem, issuer, true)
-	if err != nil {
-		log.G(ctx).Printf("Badly formed fragment - did resolver failed to match fragment did:x509 from chain with purported issuer %s, feed %s - err %s", issuer, feed, err.Error())
-		return "", "", "", err
-	}
-
-	return issuer, feed, payloadString, nil
-}
-
 // CreateSecurityPolicyEnforcer returns an appropriate enforcer for input
 // parameters.  Returns an error if the requested `enforcer` implementation
 // isn't registered.