Skip to content

fix(evidence): key-constrain all redaction allowlist subtypes#1419

Merged
mchmarny merged 1 commit into
NVIDIA:mainfrom
njhensley:evidence/redact-key-allowlist
Jun 23, 2026
Merged

fix(evidence): key-constrain all redaction allowlist subtypes#1419
mchmarny merged 1 commit into
NVIDIA:mainfrom
njhensley:evidence/redact-key-allowlist

Conversation

@njhensley

Copy link
Copy Markdown
Member

Summary

Make the minimal-evidence snapshot allowlist fail-closed at the key level, not just at type/subtype. Every kept subtype is now key-constrained and the keep-all escape hatch is removed, so the package's stated guarantee holds at every level.

Motivation / Context

Follow-up to a review comment on the merged #1414 (discussion, @mchmarny). The package doc claims "anything a future collector adds is dropped until explicitly allowlisted," but that held only at type and subtype granularity (plus key granularity for K8s.node). The keep()-all subtypes — server, hardware, release, summary — were fail-open at the key level: a sensitive key a future collector attaches to one of them would ship by default.

OS.release was the concrete risk: the collector ships all of /etc/os-release verbatim, so a non-standard distro could inject arbitrary operator-influenced keys that would publish in the "minimal" bundle.

Nothing leaks today (these subtypes currently carry only version/model/count/distro-identity keys), but the asymmetry with the deliberately key-constrained node subtype was exactly the trap. This change makes the implementation match the stated guarantee.

Fixes: N/A
Related: #1414, #1345

Type of Change

  • Bug fix (non-breaking change that fixes an issue)
  • New feature (non-breaking change that adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update
  • Refactoring (no functional changes)
  • Build/CI/tooling

Component(s) Affected

  • Other: pkg/evidence/redact, docs/design/007-recipe-evidence.md

Implementation Notes

  • Every kept subtype is now an explicit key allowlist; the keep()-all variant is removed, so copySubtype always filters by the key set (no nil = keep-all path). A key not listed in its subtype's policy is dropped, fail-closed.
  • OS.release is bound to standard distro-identity keys (ID, ID_LIKE, NAME, PRETTY_NAME, VERSION, VERSION_ID, VERSION_CODENAME); other /etc/os-release fields are dropped. server, hardware, and summary are pinned to their known collector keys.
  • PolicyVersion is intentionally not bumped: v1 merged yesterday and has no consumers, so there is no signal to preserve.
  • Package and allowlist doc comments now state the guarantee precisely (fail-closed at type, subtype, AND key level).

Testing

go test ./pkg/evidence/... ./pkg/cli/...          # pass
golangci-lint run -c .golangci.yaml ./pkg/evidence/...   # 0 issues (pinned v2.12.2)
  • New TestSnapshotKeyConstrainsAllKeptSubtypes proves an unknown/sensitive key on each formerly-keep-all subtype (incl. non-standard os-release keys) is dropped while known keys survive. pkg/evidence/redact coverage 98.1%.
  • -race and the sigstore-dependent tests rely on CI (no local C compiler / sigstore network in my sandbox).

Risk Assessment

  • Low — Isolated to the redaction allowlist; well-tested; easy to revert. Tightens (never loosens) what ships.
  • Medium
  • High

Rollout notes: Minimal bundles now ship slightly fewer os-release keys (standard identity only). No verification or schema impact; --full is unaffected. N/A migration.

Checklist

  • Tests pass locally (make test with -race) — non-race suite passes locally; -race requires CI (no local C compiler)
  • Linter passes (make lint) — pinned golangci-lint v2.12.2, 0 issues
  • I did not skip/disable tests to make CI green
  • I added/updated tests for new functionality
  • I updated docs if user-facing behavior changed (ADR-007)
  • Changes follow existing patterns in the codebase
  • Commits are cryptographically signed (git commit -S)

…losed)

The package documented a fully fail-closed allowlist, but the keep()-all
subtypes (server, hardware, release, summary) were fail-open at the key
level: a sensitive key a future collector attaches to one of them would
ship in minimal bundles by default. OS.release was the concrete risk —
the collector ships all of /etc/os-release verbatim, so
operator-influenced
keys could leak.

Constrain every kept subtype to an explicit key allowlist and remove the
keep-all escape hatch, so the guarantee holds at type, subtype, and key
level. release is bound to standard distro-identity keys.

Follow-up to PR NVIDIA#1414 review (mchmarny).
@njhensley njhensley requested a review from a team as a code owner June 23, 2026 16:08
@njhensley njhensley added the theme/supply-chain SLSA, SBOM, Sigstore, and provenance verification label Jun 23, 2026
@github-actions

Copy link
Copy Markdown
Contributor

@coderabbitai

coderabbitai Bot commented Jun 23, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 08168ac9-ec07-4d2f-beb8-a489d5853779

📥 Commits

Reviewing files that changed from the base of the PR and between 03b14d9 and a1de36d.

📒 Files selected for processing (3)
  • docs/design/007-recipe-evidence.md
  • pkg/evidence/redact/redact.go
  • pkg/evidence/redact/redact_test.go

📝 Walkthrough

Walkthrough

The minimal evidence redaction policy is tightened to be fail-closed at the individual data-key level for snapshot measurement subtypes. The keep() helper in redact.go previously treated an empty call as "keep all keys" via a nil map; it now always constructs an explicit allowlist map. The snapshotAllowlist entries for K8s.server, GPU.hardware, OS.release, and NodeTopology.summary are updated to name their permitted keys explicitly. copySubtype is simplified to remove the nil-check branch and size output from the allowlist length. A new test, TestSnapshotKeyConstrainsAllKeptSubtypes, verifies that extra unknown keys injected into each retained subtype are dropped after redaction. The design document is updated to match.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately captures the main change: enforcing key-level constraints on redaction allowlist subtypes, which is the core fix addressing the security gap.
Description check ✅ Passed The description is directly related to the changeset, providing clear context about the security gap, motivation, implementation details, and testing for the key-constraint fix.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@mchmarny mchmarny enabled auto-merge (squash) June 23, 2026 16:17
@mchmarny mchmarny merged commit fd8ba27 into NVIDIA:main Jun 23, 2026
34 of 35 checks passed
@njhensley njhensley deleted the evidence/redact-key-allowlist branch June 23, 2026 16:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area/docs size/M theme/supply-chain SLSA, SBOM, Sigstore, and provenance verification

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants