1package policy
2
3api_version := "0.10.0"
4framework_version := "0.3.0"
5
6fragments := [
7 {"issuer": "did:web:contoso.com", "feed": "contoso.azurecr.io/infra", "minimum_svn": "1", "includes": ["containers"]},
8]
9containers := [
10 {
11 "command": ["rustc","--help"],
12 "env_rules": [{"pattern": `PATH=/usr/local/cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin`, "strategy": "string", "required": true},{"pattern": `RUSTUP_HOME=/usr/local/rustup`, "strategy": "string", "required": true},{"pattern": `CARGO_HOME=/usr/local/cargo`, "strategy": "string", "required": true},{"pattern": `RUST_VERSION=1.52.1`, "strategy": "string", "required": true},{"pattern": `TERM=xterm`, "strategy": "string", "required": false},{"pattern": `PREFIX_.+=.+`, "strategy": "re2", "required": false}],
13 "layers": ["fe84c9d5bfddd07a2624d00333cf13c1a9c941f3a261f13ead44fc6a93bc0e7a","4dedae42847c704da891a28c25d32201a1ae440bce2aecccfa8e6f03b97a6a6c","41d64cdeb347bf236b4c13b7403b633ff11f1cf94dbc7cf881a44d6da88c5156","eb36921e1f82af46dfe248ef8f1b3afb6a5230a64181d960d10237a08cd73c79","e769d7487cc314d3ee748a4440805317c19262c7acd2fdbdb0d47d2e4613a15c","1b80f120dbd88e4355d6241b519c3e25290215c469516b49dece9cf07175a766"],
14 "mounts": [{"destination": "/container/path/one", "options": ["rbind","rshared","rw"], "source": "sandbox:///host/path/one", "type": "bind"},{"destination": "/container/path/two", "options": ["rbind","rshared","ro"], "source": "sandbox:///host/path/two", "type": "bind"}],
15 "exec_processes": [{"command": ["top"], "signals": []}],
16 "signals": [],
17 "user": {
18 "user_idname": {"pattern": ``, "strategy": "any"},
19 "group_idnames": [{"pattern": ``, "strategy": "any"}],
20 "umask": "0022"
21 },
22 "capabilities": {
23 "bounding": ["CAP_SYS_ADMIN"],
24 "effective": ["CAP_SYS_ADMIN"],
25 "inheritable": ["CAP_SYS_ADMIN"],
26 "permitted": ["CAP_SYS_ADMIN"],
27 "ambient": ["CAP_SYS_ADMIN"],
28 },
29 "seccomp_profile_sha256": "",
30 "allow_elevated": true,
31 "working_dir": "/home/user",
32 "allow_stdio_access": false,
33 "no_new_privileges": true,
34 },
35 {
36 "command": ["/pause"],
37 "env_rules": [{"pattern": `PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin`, "strategy": "string", "required": true},{"pattern": `TERM=xterm`, "strategy": "string", "required": false}],
38 "layers": ["16b514057a06ad665f92c02863aca074fd5976c755d26bff16365299169e8415"],
39 "mounts": [],
40 "exec_processes": [],
41 "signals": [],
42 "user": {
43 "user_idname": {"pattern": ``, "strategy": "any"},
44 "group_idnames": [{"pattern": ``, "strategy": "any"}],
45 "umask": "0022"
46 },
47 "capabilities": null,
48 "seccomp_profile_sha256": "",
49 "allow_elevated": false,
50 "working_dir": "/",
51 "allow_stdio_access": false,
52 "no_new_privileges": true,
53 },
54]
55external_processes := [
56 {"command": ["bash"], "env_rules": [{"pattern": `PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin`, "strategy": "string", "required": true}], "working_dir": "/", "allow_stdio_access": false},
57]
58allow_properties_access := false
59allow_dump_stacks := false
60allow_runtime_logging := false
61allow_environment_variable_dropping := false
62allow_unencrypted_scratch := false
63allow_capability_dropping := true
64
65
66mount_device := data.framework.mount_device
67unmount_device := data.framework.unmount_device
68mount_overlay := data.framework.mount_overlay
69unmount_overlay := data.framework.unmount_overlay
70create_container := data.framework.create_container
71exec_in_container := data.framework.exec_in_container
72exec_external := data.framework.exec_external
73shutdown_container := data.framework.shutdown_container
74signal_container_process := data.framework.signal_container_process
75plan9_mount := data.framework.plan9_mount
76plan9_unmount := data.framework.plan9_unmount
77get_properties := data.framework.get_properties
78dump_stacks := data.framework.dump_stacks
79runtime_logging := data.framework.runtime_logging
80load_fragment := data.framework.load_fragment
81scratch_mount := data.framework.scratch_mount
82scratch_unmount := data.framework.scratch_unmount
83reason := {
84 "errors": data.framework.errors,
85 "error_objects": data.framework.error_objects,
86}
View as plain text