1package custom
2
3import future.keywords.every
4import future.keywords.in
5
6default mount_device := {"allowed": false}
7
8mount_device := {"allowed": true, "metadata": [addDevice] } {
9 some overlay in data.policy.overlays
10 some hash in overlay.deviceHashes
11 hash == input.deviceHash
12 addDevice := {
13 "name": "devices",
14 "action": "add",
15 "key": input.target,
16 "value": input.deviceHash
17 }
18}
19
20default mount_overlay := {"allowed": false}
21
22mount_overlay := {"allowed": true, "metadata": [addContainer]} {
23 some overlayID, overlay in data.policy.overlays
24 every i, path in input.layerPaths {
25 hash := data.metadata.devices[path]
26 hash == overlay.deviceHashes[i]
27 }
28
29 addContainer := {
30 "name": "containers",
31 "action": "add",
32 "key": input.containerID,
33 "value": overlayID
34 }
35}
36
37default create_container := {"allowed": false}
38
39create_container := {"allowed": true, "metadata": [updateContainer]} {
40 overlayID := data.metadata.containers[input.containerID]
41 overlay := data.policy.overlays[overlayID]
42 some container in data.policy.custom_containers
43 container.overlayID == overlayID
44 every i, arg in input.argList {
45 arg == container.command[i]
46 }
47
48 every mount in input.mounts {
49 some destination in overlay.mounts
50 mount.destination == destination
51 }
52
53 every depend in container.depends {
54 some other in data.metadata.containers
55 depend == other.id
56 }
57
58 updateContainer := {
59 "name": "containers",
60 "action": "update",
61 "key": input.containerID,
62 "value": container
63 }
64}View as plain text