Signed-off-by: Kathryn Baldauf <[email protected]>

…_scratch_root_dir

Add logic to cleanup the oci bundle root dir on container delete

Signed-off-by: Kirtana Ashok <[email protected]>

Signed-off-by: Kirtana Ashok <[email protected]>
Co-authored-by: Kirtana Ashok <[email protected]>

* Add missing AllowElevated policy check when creating a container

When we added AllowElevated and checked it was working correctly, we
got it slightly wrong. When a container is started, we were adding in
expected mounts that only happen for privileged containers and
using those are mounts that are allowed.

During testing, if AllowElevated was left off, a privileged container
would fail to start seemingly indicating that all was good. However,
all was not good.

A malicious orchestrator with control of the API could create a container
privileged that didn't contain any extra "privileged mounts" and the
container would start as privileged with everything else that being
privileged entails except for the mounts.

This commit adds an explicit check as part of crete container to verify
that is the container is attempting to be started as privileged that it
has AllowElevated.

Maksim and I both thought that this had been implemented. I remember it
being implemented. Apparently that memory is incorrect. Either way, it
was noticed last Thursday and here's the fix.

Signed-off-by: Sean T. Allen <[email protected]>

Signed-off-by: Maksim An <[email protected]>

A change to one of these two checks was requested by Hamza as part
of #1624. It was decided
to get both instances in their own PR as the change was unrelated
to the work in 1624.

Signed-off-by: Sean T. Allen <[email protected]>

Previously `fake-report` flag of `snp-report` binary was incorrectly
handled when report was requested in `binary` format. This PR fixes
the logic.

Signed-off-by: Maksim An <[email protected]>

* API Data and Framework Versioning.

This change adds several features that are necessary to provide stable backwards
compatibility.

The first deals with how API defaults are specified.
Previously, API default behavior was given in terms of allow/deny, i.e.

``` rego
"create_container": {"introducedVersion": "0.1.0",
                     "allowedByDefault": false}
```

This does not reflect how the API has evolved, in particular the fact that GCS
expects the API to return objects and not a single boolean value. Thus, the
defaults have been updated to be default object values:

``` rego
"create_container": {"introducedVersion": "0.1.0",
                     "default_results": {"allowed": false,
                                         "env_list": null,
                                         "allow_stdio_access": true}},
```

The resulting default object is then combined with the value returned by the
(older) policy using an object union operation. For example, if the
default is:

``` json
{
    "allowed": false,
    "env_list": null,
    "allow_stdio_access": true
}
```

and the value returned by an older policy is:

``` json
{
    "allowed": true,
}
```

then then the fields of the policy result overwrite the fields of the default
to create the final result:

``` json
{
    "allowed": true,
    "env_list": null,
    "allow_stdio_access": true
}
```

As the API stabilizes, it will increasingly be the case that the Framework will
change independently of the API and will need its own SVN. The second major
change this PR incorporates is to add a Framework SVN to fragments and policies
which use the provided framework. This allows us to provide Framework-specific
backwards compatibility behavior. In particular, this allows us to specify
policy object versioning via the new `framework_objects.json` file. For example,
the format of the external process object is defined as:

``` json
"external_process": {
    "command": {
        "introduced_version": "0.1.0",
        "default_value": null
    },
    "env_rules": {
        "introduced_version": "0.1.0",
        "default_value": null
    },
    "working_dir": {
        "introduced_version": "0.1.0",
        "default_value": null
    },
    "allow_stdio_access": {
        "introduced_version": "0.1.0",
        "default_value": null
    }
},
```

As new elements are added to framework policy objects, reasonable defaults can
be provided here. This has repercussions on policies in a few cases:

1. **`framework_svn` is missing.** If the policy or fragment does not define a
   Framework SVN, then the framework must thrown an error for any rule which
   uses the object defaults, as the behavior is undefined.
2. **`framework_svn` is ahead of the executing Framework SVN**. Similarly, if
   a policy or fragment specifies an SVN which is greater than that of the
   executing Framework, they are indicating that they expect a different set of
   constraints to be executing and thus we must thrown an error when rules
   that uses object defaults are executed.

Implementing and testing these changes required some minor alterations and
refactoring to the `regopolicyinterpreter`, in particular a method to make
raw Rego queries to facilitate testing the default application process for
candidate policy objects.

Signed-off-by: Matthew A Johnson <[email protected]>

…1625)

Sandbox and hugepage mounts come via CRI config in the form:
`sandbox://<absolute-path>`, however the existing enforcement and tests
expect it to be `sandbox://<relative-path>` which causes a problem during
mount enforcement, when the sandbox prefix is replaced with an additional
path separator in the end.

Additionally update policy tests.

Signed-off-by: Maksim An <[email protected]>

…ost (#1575)

to be checked for a good cert chain and a valid issuer DID that matches
the certs and so the signature. Includes DID and COSE Sign1 packages and
tooling.

Support extracting a DID directly from a COSE Sign1 document and also
support single cert COSE Sign document checking, but not DID generation.

`signutil` is a debug tool that allows generating valid DID given a
COSE Sign1 document and provides other utility functions like printing
cert chain, leaf certs, displaying COSE Sign1 document content etc.

Signed-off-by: Ken Gordon <[email protected]>

Bumps [github.com/containerd/cgroups](https://github.com/containerd/cgroups) from 1.0.3 to 1.1.0.
- [Release notes](https://github.com/containerd/cgroups/releases)
- [Commits](containerd/cgroups@v1.0.3...v1.1.0)

---
updated-dependencies:
- dependency-name: github.com/containerd/cgroups
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.12.1 to 0.13.0.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](google/go-containerregistry@v0.12.1...v0.13.0)

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.51.0 to 1.52.3.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](grpc/grpc-go@v1.51.0...v1.52.3)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.3.0 to 0.4.0.
- [Release notes](https://github.com/golang/sys/releases)
- [Commits](golang/sys@v0.3.0...v0.4.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump github.com/containerd/cgroups from 1.0.3 to 1.1.0

Bumps [github.com/containerd/cgroups](https://github.com/containerd/cgroups) from 1.0.3 to 1.1.0.
- [Release notes](https://github.com/containerd/cgroups/releases)
- [Commits](containerd/cgroups@v1.0.3...v1.1.0)

---
updated-dependencies:
- dependency-name: github.com/containerd/cgroups
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* fix test mod

Signed-off-by: Hamza El-Saawy <[email protected]>

---------

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: Hamza El-Saawy <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Hamza El-Saawy <[email protected]>

)

…#1620)

The BurntSushi/toml module was unmaintained for a long time, and most
projects switched over to using pelletier/go-toml. While it appears
that maintenance was handed over to a new maintainer, switching to
the most commonly used implementation to simplify dependency management.

Signed-off-by: Sebastiaan van Stijn <[email protected]>

Integration test often fails because of mingw installation failure,
which in turn appears to be a web-request issues.
Adding rety and backoff/sleep to resolve issue.

Signed-off-by: Hamza El-Saawy <[email protected]>

* test: Add CRI benchmarks for container operations

Add CRI API benchmarks to `cri-containerd.test.exe`, and update helper
functions in `cri-containerd` to accept `tb testing.TB` instead of
`t *testing.T`.

Switched `cri-containerd` to `test\internal\flag` so that
`test\internal\require` can be used to check if features are present
since that implementation already mirrors what `cri-containerd` does,
but accepts a `testing.TB`, and deleted old
`test/internal/stringsetflag.go` file.

Renamed `scripts/Test-Functionl.ps1` to `scripts/Run-Tests.ps1`, and
updated it to run both functional and CRI tests and benchmarks.

Signed-off-by: Hamza El-Saawy <[email protected]>

* PR: clarifying comment

Signed-off-by: Hamza El-Saawy <[email protected]>

---------

Signed-off-by: Hamza El-Saawy <[email protected]>