MappedDirectory enforcement and misc fixes#2727
Draft
MahatiC wants to merge 2 commits into
Draft
Conversation
Capture and apply envToKeep from policy enforcement in createContainer, external exec, and in-container exec. Previously the filtered env list was discarded. Add ociEnvToProcessParamEnv and rewriteExecRequest helpers with tests. Signed-off-by: Mahati Chamarthy <mahati.chamarthy@gmail.com>
Add EnforceMappedDirectoryMountPolicy/UnmountPolicy to enforce VSMB directory shares for confidential Windows containers. Writable mapped directories are denied; duplicates at the same container path are prevented. Also add path pattern validation for MappedVirtualDisk and MappedVirtualDiskForContainerScratch to ensure SCSI mounts only target c:\mounts\scsi\m<N>. Signed-off-by: Mahati Chamarthy <mahati.chamarthy@gmail.com>
KenGordon
reviewed
May 11, 2026
| if envToKeep != nil { | ||
| spec.Process.Env = []string(envToKeep) | ||
| } | ||
| _ = allowStdio // TODO: enforce stdio access for Windows containers |
Collaborator
There was a problem hiding this comment.
Is there no enforcement on stdout in WCOW yet?
| // Tests for environment variable filtering helpers (envlist persistence) | ||
|
|
||
| func TestOciEnvToProcessParamEnv_Basic(t *testing.T) { | ||
| input := []string{"FOO=bar", "PATH=/usr/bin", "EMPTY="} |
Collaborator
There was a problem hiding this comment.
/usr/bin might not be the most obvious choice for a Windows test.
| load_fragment := data.framework.load_fragment | ||
| scratch_mount := data.framework.scratch_mount | ||
| scratch_unmount := data.framework.scratch_unmount | ||
| mapped_directory_mount := data.framework.mapped_directory_mount |
Collaborator
There was a problem hiding this comment.
Does the tooling need to be updated to match?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Commit 1: CWCOW: Filter environment variable
The GCS sidecar was evaluating security policy for environment variables but discarding the filtered result. This meant policy could block containers with disallowed env vars, but couldn't selectively strip individual variables. This commit captures the filtered env list and rewrites the request with it before forwarding to GCS.
Commit 2: CWCOW: Enforce MappedDirectory inside gcs-sidecar
The GCS sidecar had no enforcement for ResourceTypeMappedDirectory (VSMB shares) or path validation for ResourceTypeMappedVirtualDisk/ResourceTypeMappedVirtualDiskForContainerScratch (SCSI mounts). This would allow an untrusted host to share arbitrary directories into the UVM without policy checks. This commit adds:
read-only invariant inside the UVM and prevents duplicate mounts at the same container path. Path pattern validation ensures SCSI mounts only target c:\mounts\scsi\m