...

Source file src/github.com/Microsoft/hcsshim/internal/tools/securitypolicy/main.go

Documentation: github.com/Microsoft/hcsshim/internal/tools/securitypolicy 

     1  package main
     2  
     3  import (
     4  	"encoding/base64"
     5  	"flag"
     6  	"fmt"
     7  	"os"
     8  
     9  	"github.com/pelletier/go-toml"
    10  
    11  	"github.com/Microsoft/hcsshim/internal/tools/securitypolicy/helpers"
    12  	"github.com/Microsoft/hcsshim/pkg/securitypolicy"
    13  )
    14  
    15  var (
    16  	configFile        = flag.String("c", "", "config path")
    17  	outputType        = flag.String("t", "", "[rego|json|fragment]")
    18  	fragmentNamespace = flag.String("n", "", "fragment namespace")
    19  	fragmentSVN       = flag.String("v", "", "fragment svn")
    20  	outputRaw         = flag.Bool("r", false, "whether to print the raw output")
    21  )
    22  
    23  func main() {
    24  	flag.Parse()
    25  	if flag.NArg() != 0 || len(*configFile) == 0 {
    26  		flag.Usage()
    27  		os.Exit(1)
    28  	}
    29  
    30  	err := func() (err error) {
    31  		configData, err := os.ReadFile(*configFile)
    32  		if err != nil {
    33  			return err
    34  		}
    35  
    36  		config := &securitypolicy.PolicyConfig{}
    37  
    38  		err = toml.Unmarshal(configData, config)
    39  		if err != nil {
    40  			return err
    41  		}
    42  
    43  		defaultContainers := helpers.DefaultContainerConfigs()
    44  		config.Containers = append(config.Containers, defaultContainers...)
    45  		policyContainers, err := helpers.PolicyContainersFromConfigs(config.Containers)
    46  		if err != nil {
    47  			return err
    48  		}
    49  
    50  		var policyCode string
    51  		if *outputType == "fragment" {
    52  			policyCode, err = securitypolicy.MarshalFragment(
    53  				*fragmentNamespace,
    54  				*fragmentSVN,
    55  				policyContainers,
    56  				config.ExternalProcesses,
    57  				config.Fragments)
    58  		} else {
    59  			policyCode, err = securitypolicy.MarshalPolicy(
    60  				*outputType,
    61  				config.AllowAll,
    62  				policyContainers,
    63  				config.ExternalProcesses,
    64  				config.Fragments,
    65  				config.AllowPropertiesAccess,
    66  				config.AllowDumpStacks,
    67  				config.AllowRuntimeLogging,
    68  				config.AllowEnvironmentVariableDropping,
    69  				config.AllowUnencryptedScratch,
    70  				config.AllowCapabilityDropping,
    71  			)
    72  		}
    73  		if err != nil {
    74  			return err
    75  		}
    76  
    77  		if *outputRaw {
    78  			fmt.Printf("%s\n", policyCode)
    79  		}
    80  		b := base64.StdEncoding.EncodeToString([]byte(policyCode))
    81  		fmt.Printf("%s\n", b)
    82  
    83  		return nil
    84  	}()
    85  
    86  	if err != nil {
    87  		fmt.Fprintln(os.Stderr, err)
    88  		os.Exit(1)
    89  	}
    90  }
    91  

View as plain text