rego: Allow sending SIGTERM and SIGKILL to the container init process in old policies

micromaomao · anmaxvl · micromaomao · commit edf39b0000a1 · 2025-11-05T15:13:03.000Z
We used to allow SIGTERM/SIGKILL the container init process even if the container's signals list is empty due to a bug fixed in #2538. However, because our tooling has been generating policies with an empty signals list, we need to special case this for old policies to maintain backwards compatibility. Update framework.rego to have SIGTERM and SIGKILL as default kill signals for init process for framework API versions "0.4.1" and below. Newer policies must explicitly have these signals present, otherwise sending signal will be denied. Signed-off-by: Tingmao Wang <tingmaowang@microsoft.com> Co-authored-by: Maksim An <maksiman@microsoft.com>
diff --git a/pkg/securitypolicy/framework.rego b/pkg/securitypolicy/framework.rego
@@ -1960,7 +1960,7 @@ check_container(raw_container, framework_version) := container {
         "allow_elevated": raw_container.allow_elevated,
         "working_dir": raw_container.working_dir,
         "exec_processes": raw_container.exec_processes,
-        "signals": raw_container.signals,
+        "signals": check_signals(raw_container, framework_version),
         "allow_stdio_access": raw_container.allow_stdio_access,
         # Additional fields need to have default logic applied
         "no_new_privileges": check_no_new_privileges(raw_container, framework_version),
@@ -2026,6 +2026,16 @@ check_seccomp_profile_sha256(raw_container, framework_version) := seccomp_profil
     seccomp_profile_sha256 := ""
 }
 
+check_signals(raw_container, framework_version) := signals {
+    semver.compare(framework_version, "0.4.1") >= 0
+    signals := raw_container.signals
+}
+
+check_signals(raw_container, framework_version) := signals {
+    semver.compare(framework_version, "0.4.1") < 0
+    signals := array.concat(raw_container.signals, [9, 15])
+}
+
 check_external_process(raw_process, framework_version) := process {
     semver.compare(framework_version, version) == 0
     process := raw_process
diff --git a/pkg/securitypolicy/version_framework b/pkg/securitypolicy/version_framework
@@ -1 +1 @@
-0.4.0
+0.4.1
