Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package udica for openSUSE:Factory checked
in at 2024-01-23 22:57:03
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/udica (Old)
and /work/SRC/openSUSE:Factory/.udica.new.16006 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "udica"
Tue Jan 23 22:57:03 2024 rev:3 rq:1140795 version:0.2.8
Changes:
--------
--- /work/SRC/openSUSE:Factory/udica/udica.changes 2023-05-31
21:55:13.317262328 +0200
+++ /work/SRC/openSUSE:Factory/.udica.new.16006/udica.changes 2024-01-23
22:57:11.342707226 +0100
@@ -1,0 +2,8 @@
+Mon Jan 22 13:48:03 UTC 2024 - Gayane Osipyan <gayane.osip...@suse.com>
+
+- update to version 0.2.8
+ * Add ---devices option
+ * Fix generating policy for Crio mounts
+ * Improve code readability based on lint and black findings
+
+-------------------------------------------------------------------
Old:
----
v0.2.7.tar.gz
New:
----
v0.2.8.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ udica.spec ++++++
--- /var/tmp/diff_new_pack.mAYf5O/_old 2024-01-23 22:57:12.174737648 +0100
+++ /var/tmp/diff_new_pack.mAYf5O/_new 2024-01-23 22:57:12.178737794 +0100
@@ -1,7 +1,7 @@
#
# spec file for package udica
#
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
Name: udica
-Version: 0.2.7
+Version: 0.2.8
Release: 0
Summary: A tool for generating SELinux security policies for containers
License: GPL-3.0-or-later
++++++ v0.2.7.tar.gz -> v0.2.8.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/udica-0.2.7/.cirrus.yml new/udica-0.2.8/.cirrus.yml
--- old/udica-0.2.7/.cirrus.yml 2022-06-22 13:41:06.000000000 +0200
+++ new/udica-0.2.8/.cirrus.yml 2023-11-29 10:43:34.000000000 +0100
@@ -16,13 +16,11 @@
####
#### Cache-image names to test with
####
- FEDORA_NAME: "fedora-34"
- PRIOR_FEDORA_NAME: "fedora-33"
+ FEDORA_NAME: "fedora-38"
# Google-cloud VM Images
- IMAGE_SUFFIX: "c6431352024203264"
+ IMAGE_SUFFIX: "c20230614t132754z-f38f37d13"
FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}"
- PRIOR_FEDORA_CACHE_IMAGE_NAME: "prior-fedora-${IMAGE_SUFFIX}"
####
#### Command variables to help avoid duplication
@@ -52,15 +50,11 @@
# Each 'task' runs in parallel, '_task' suffix required on name.
test_upstream_podman_task:
+ name: "Test podman on ${FEDORA_NAME}"
alias: test_upstream_podman
- matrix:
- - name: "Test podman on ${FEDORA_NAME}"
- gce_instance:
- image_name: "${FEDORA_CACHE_IMAGE_NAME}"
- - name: "Test podman on ${PRIOR_FEDORA_NAME}"
- gce_instance:
- image_name: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}"
+ gce_instance:
+ image_name: "${FEDORA_CACHE_IMAGE_NAME}"
env:
# Which branch, tag, or sha of podman repository to test against
@@ -89,7 +83,6 @@
# Space-separated list of ALL images used by automation in this
repository
IMGNAMES: |-
${FEDORA_CACHE_IMAGE_NAME}
- ${PRIOR_FEDORA_CACHE_IMAGE_NAME}
BUILDID: "${CIRRUS_BUILD_ID}"
REPOREF: "${CIRRUS_REPO_NAME}"
GCPJSON:
ENCRYPTED[5279a6043ee3852dabbf477cda0565183d3f0d887dde63a19ebe19eb00f9b279a8a5f4d2d7395672cb7d7046b9da11d2]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/udica-0.2.7/.github/renovate.json5
new/udica-0.2.8/.github/renovate.json5
--- old/udica-0.2.7/.github/renovate.json5 1970-01-01 01:00:00.000000000
+0100
+++ new/udica-0.2.8/.github/renovate.json5 2023-11-29 10:43:34.000000000
+0100
@@ -0,0 +1,58 @@
+/*
+ Renovate is a service similar to GitHub Dependabot, but with
+ (fantastically) more configuration options. So many options
+ in fact, if you're new I recommend glossing over this cheat-sheet
+ prior to the official documentation:
+
+ https://www.augmentedmind.de/2021/07/25/renovate-bot-cheat-sheet
+
+ Configuration Update/Change Procedure:
+ 1. Make changes
+ 2. Manually validate changes (from repo-root):
+
+ podman run -it \
+ -v ./.github/renovate.json5:/usr/src/app/renovate.json5:z \
+ docker.io/renovate/renovate:latest \
+ renovate-config-validator
+ 3. Commit.
+
+ Configuration Reference:
+ https://docs.renovatebot.com/configuration-options/
+
+ Monitoring Dashboard:
+ https://app.renovatebot.com/dashboard#github/containers
+
+ Note: The Renovate bot will create/manage it's business on
+ branches named 'renovate/*'. Otherwise, and by
+ default, the only the copy of this file that matters
+ is the one on the `main` branch. No other branches
+ will be monitored or touched in any way.
+*/
+
+{
+ "$schema": "https://docs.renovatebot.com/renovate-schema.json";,
+
+ /*************************************************
+ ****** Global/general configuration options *****
+ *************************************************/
+
+ // Re-use predefined sets of configuration options to DRY
+ "extends": [
+ //
https://github.com/containers/automation/blob/main/renovate/defaults.json5
+ "github>containers/automation//renovate/defaults.json5"
+ ],
+
+ // Permit automatic rebasing when base-branch changes by more than
+ // one commit.
+ "rebaseWhen": "behind-base-branch",
+
+ /*************************************************
+ *** Repository-specific configuration options ***
+ *************************************************/
+
+ // https://docs.renovatebot.com/modules/manager/#supported-managers
+ "enabledManagers": [
+ "pip-compile", "pip_requirements", "pip_setup", "pipenv", "poetry",
"pyenv", "setup-cfg",
+ "github-actions", "regex"
+ ]
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/udica-0.2.7/.github/workflows/checks.yml
new/udica-0.2.8/.github/workflows/checks.yml
--- old/udica-0.2.7/.github/workflows/checks.yml 2022-06-22
13:41:06.000000000 +0200
+++ new/udica-0.2.8/.github/workflows/checks.yml 2023-11-29
10:43:34.000000000 +0100
@@ -4,7 +4,7 @@
lint:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- run: sudo apt-get update -y
- run: sudo apt-get install -y python3-pip python3-setuptools
- run: sudo pip3 install black pyflakes
@@ -27,7 +27,7 @@
container:
image: ${{ matrix.image }}
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- run: rpm -q python3 || dnf install --nogpgcheck -y python3
- run: rpm -q git || dnf install --nogpgcheck -y git
- run: python3 -m unittest -v tests/test_unit.py
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/udica-0.2.7/Makefile new/udica-0.2.8/Makefile
--- old/udica-0.2.7/Makefile 2022-06-22 13:41:06.000000000 +0200
+++ new/udica-0.2.8/Makefile 2023-11-29 10:43:34.000000000 +0100
@@ -16,7 +16,7 @@
.PHONY:
format-check:
- black --check *.py udica/*.py tests/*.py
+ black --check --diff *.py udica/*.py tests/*.py
.PHONY: test
test: lint format-check
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/udica-0.2.7/contrib/cirrus/build.sh
new/udica-0.2.8/contrib/cirrus/build.sh
--- old/udica-0.2.7/contrib/cirrus/build.sh 2022-06-22 13:41:06.000000000
+0200
+++ new/udica-0.2.8/contrib/cirrus/build.sh 2023-11-29 10:43:34.000000000
+0100
@@ -20,8 +20,10 @@
showrun make install PREFIX=/usr ETCDIR=/etc
echo "Configuring podman for execution w/in a container"
-sed -r -i -e 's/^driver.+overlay.+/driver = "vfs"/g'
/etc/containers/storage.conf
-sed -r -i -e 's/^mountopt =.+/mountopt = ""/g' /etc/containers/storage.conf
+sed -e 's|^#mount_program|mount_program|g' \
+ -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' \
+ /usr/share/containers/storage.conf \
+ > /etc/containers/storage.conf
setsebool container_manage_cgroup true # systemd in container
echo "Installing Udica from source"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/udica-0.2.7/contrib/cirrus/setup.sh
new/udica-0.2.8/contrib/cirrus/setup.sh
--- old/udica-0.2.7/contrib/cirrus/setup.sh 2022-06-22 13:41:06.000000000
+0200
+++ new/udica-0.2.8/contrib/cirrus/setup.sh 2023-11-29 10:43:34.000000000
+0100
@@ -8,15 +8,10 @@
case "${OS_RELEASE_ID}" in
fedora)
- msg "Expanding root disk space"
- growpart /dev/sda 1
- resize2fs /dev/sda1
msg "Installing necessary additional packages"
ooe.sh dnf install -y \
- python3 \
setools-console \
- systemd-devel \
- container-selinux
+ systemd-devel
;;
*) bad_os_id_ver ;;
esac
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/udica-0.2.7/tests/selinux.py
new/udica-0.2.8/tests/selinux.py
--- old/udica-0.2.7/tests/selinux.py 2022-06-22 13:41:06.000000000 +0200
+++ new/udica-0.2.8/tests/selinux.py 2023-11-29 10:43:34.000000000 +0100
@@ -25,6 +25,8 @@
return (0, None)
elif directory == "/dev/fb0":
return (0, "system_u:object_r:framebuf_device_t:s0")
+ elif directory == "/etc/hosts":
+ return (0, "system_u:object_r:net_conf_t:s0")
else:
return (0, "system_u:object_r:var_spool_t:s0")
@@ -32,5 +34,7 @@
def getfilecon(directory):
if directory == "/tmp/test":
return (0, "system_u:object_r:user_tmp_t:s0")
+ elif directory == "/etc/hosts":
+ return (0, "system_u:object_r:net_conf_t:s0")
else:
return (0, "system_u:object_r:var_spool_t:s0")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/udica-0.2.7/tests/test_basic.cri.cil
new/udica-0.2.8/tests/test_basic.cri.cil
--- old/udica-0.2.7/tests/test_basic.cri.cil 2022-06-22 13:41:06.000000000
+0200
+++ new/udica-0.2.8/tests/test_basic.cri.cil 2023-11-29 10:43:34.000000000
+0100
@@ -250,4 +250,8 @@
(allow process zoneminder_spool_t ( file ( append create getattr ioctl
lock map open read rename setattr unlink write )))
(allow process zoneminder_spool_t ( fifo_file ( getattr read write append
ioctl lock open )))
(allow process zoneminder_spool_t ( sock_file ( append getattr open read
write )))
-)
\ No newline at end of file
+ (allow process net_conf_t ( dir ( getattr ioctl lock open read search )))
+ (allow process net_conf_t ( file ( getattr ioctl lock open read )))
+ (allow process net_conf_t ( fifo_file ( getattr open read lock ioctl )))
+ (allow process net_conf_t ( sock_file ( getattr open read )))
+)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/udica-0.2.7/tests/test_basic.cri.json
new/udica-0.2.8/tests/test_basic.cri.json
--- old/udica-0.2.7/tests/test_basic.cri.json 2022-06-22 13:41:06.000000000
+0200
+++ new/udica-0.2.8/tests/test_basic.cri.json 2023-11-29 10:43:34.000000000
+0100
@@ -46,9 +46,9 @@
},
{
"containerPath": "/etc/hosts",
- "hostPath":
"/var/lib/kubelet/pods/59ecb6eb-de09-11e9-8ebe-02e4204e049a/etc-hosts",
+ "hostPath": "/etc/hosts",
"propagation": "PROPAGATION_PRIVATE",
- "readonly": false,
+ "readonly": true,
"selinuxRelabel": false
},
{
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/udica-0.2.7/tests/test_device_access.podman.json
new/udica-0.2.8/tests/test_device_access.podman.json
--- old/udica-0.2.7/tests/test_device_access.podman.json 1970-01-01
01:00:00.000000000 +0100
+++ new/udica-0.2.8/tests/test_device_access.podman.json 2023-11-29
10:43:34.000000000 +0100
@@ -0,0 +1,244 @@
+[
+ {
+ "Id":
"68485406c4bbfd2b379beac7d80834a4ca94d7e74ada5019c7499afed62e1744",
+ "Created": "2022-08-11T20:54:51.026287311+02:00",
+ "Path": "/bin/bash",
+ "Args": [
+ "/bin/bash"
+ ],
+ "State": {
+ "OciVersion": "1.0.2-dev",
+ "Status": "exited",
+ "Running": false,
+ "Paused": false,
+ "Restarting": false,
+ "OOMKilled": false,
+ "Dead": false,
+ "Pid": 0,
+ "ExitCode": 0,
+ "Error": "",
+ "StartedAt": "2022-08-11T20:54:51.116938836+02:00",
+ "FinishedAt": "2022-08-11T20:54:51.1327839+02:00",
+ "Health": {
+ "Status": "",
+ "FailingStreak": 0,
+ "Log": null
+ },
+ "CheckpointedAt": "0001-01-01T00:00:00Z",
+ "RestoredAt": "0001-01-01T00:00:00Z"
+ },
+ "Image":
"2ecb6df959942dd2fdeb65606ca2e42a54f8c06af10eeb594fdfc3e2656c53d1",
+ "ImageName": "registry.fedoraproject.org/fedora:latest",
+ "Rootfs": "",
+ "Pod": "",
+ "ResolvConfPath":
"/run/user/1000/overlay-containers/68485406c4bbfd2b379beac7d80834a4ca94d7e74ada5019c7499afed62e1744/userdata/resolv.conf",
+ "HostnamePath":
"/run/user/1000/overlay-containers/68485406c4bbfd2b379beac7d80834a4ca94d7e74ada5019c7499afed62e1744/userdata/hostname",
+ "HostsPath":
"/run/user/1000/overlay-containers/68485406c4bbfd2b379beac7d80834a4ca94d7e74ada5019c7499afed62e1744/userdata/hosts",
+ "StaticDir":
"/home/martin/.local/share/containers/storage/overlay-containers/68485406c4bbfd2b379beac7d80834a4ca94d7e74ada5019c7499afed62e1744/userdata",
+ "OCIConfigPath":
"/home/martin/.local/share/containers/storage/overlay-containers/68485406c4bbfd2b379beac7d80834a4ca94d7e74ada5019c7499afed62e1744/userdata/config.json",
+ "OCIRuntime": "crun",
+ "ConmonPidFile":
"/run/user/1000/overlay-containers/68485406c4bbfd2b379beac7d80834a4ca94d7e74ada5019c7499afed62e1744/userdata/conmon.pid",
+ "PidFile":
"/run/user/1000/overlay-containers/68485406c4bbfd2b379beac7d80834a4ca94d7e74ada5019c7499afed62e1744/userdata/pidfile",
+ "Name": "charming_khorana",
+ "RestartCount": 0,
+ "Driver": "overlay",
+ "MountLabel": "system_u:object_r:container_file_t:s0:c8,c574",
+ "ProcessLabel": "system_u:system_r:container_t:s0:c8,c574",
+ "AppArmorProfile": "",
+ "EffectiveCaps": [
+ "CAP_CHOWN",
+ "CAP_DAC_OVERRIDE",
+ "CAP_FOWNER",
+ "CAP_FSETID",
+ "CAP_KILL",
+ "CAP_NET_BIND_SERVICE",
+ "CAP_SETFCAP",
+ "CAP_SETGID",
+ "CAP_SETPCAP",
+ "CAP_SETUID",
+ "CAP_SYS_CHROOT"
+ ],
+ "BoundingCaps": [
+ "CAP_CHOWN",
+ "CAP_DAC_OVERRIDE",
+ "CAP_FOWNER",
+ "CAP_FSETID",
+ "CAP_KILL",
+ "CAP_NET_BIND_SERVICE",
+ "CAP_SETFCAP",
+ "CAP_SETGID",
+ "CAP_SETPCAP",
+ "CAP_SETUID",
+ "CAP_SYS_CHROOT"
+ ],
+ "ExecIDs": [],
+ "GraphDriver": {
+ "Name": "overlay",
+ "Data": {
+ "LowerDir":
"/home/martin/.local/share/containers/storage/overlay/1da06ca5080c2ce2499e2f9802259209c7dd85c92d64852c3165425cdc18c443/diff",
+ "UpperDir":
"/home/martin/.local/share/containers/storage/overlay/98294044df8fadc428b8a41befc0c83d574601b56076c62ce7fa93df6c48f8dc/diff",
+ "WorkDir":
"/home/martin/.local/share/containers/storage/overlay/98294044df8fadc428b8a41befc0c83d574601b56076c62ce7fa93df6c48f8dc/work"
+ }
+ },
+ "Mounts": [],
+ "Dependencies": [],
+ "NetworkSettings": {
+ "EndpointID": "",
+ "Gateway": "",
+ "IPAddress": "",
+ "IPPrefixLen": 0,
+ "IPv6Gateway": "",
+ "GlobalIPv6Address": "",
+ "GlobalIPv6PrefixLen": 0,
+ "MacAddress": "",
+ "Bridge": "",
+ "SandboxID": "",
+ "HairpinMode": false,
+ "LinkLocalIPv6Address": "",
+ "LinkLocalIPv6PrefixLen": 0,
+ "Ports": {},
+ "SandboxKey": ""
+ },
+ "Namespace": "",
+ "IsInfra": false,
+ "Config": {
+ "Hostname": "68485406c4bb",
+ "Domainname": "",
+ "User": "",
+ "AttachStdin": false,
+ "AttachStdout": false,
+ "AttachStderr": false,
+ "Tty": false,
+ "OpenStdin": false,
+ "StdinOnce": false,
+ "Env": [
+ "FGC=f36",
+ "DISTTAG=f36container",
+
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+ "TERM=xterm",
+ "container=oci",
+ "HOME=/root",
+ "HOSTNAME=68485406c4bb"
+ ],
+ "Cmd": [
+ "/bin/bash"
+ ],
+ "Image": "registry.fedoraproject.org/fedora:latest",
+ "Volumes": null,
+ "WorkingDir": "/",
+ "Entrypoint": "",
+ "OnBuild": null,
+ "Labels": {
+ "license": "MIT",
+ "name": "fedora",
+ "vendor": "Fedora Project",
+ "version": "36"
+ },
+ "Annotations": {
+ "io.container.manager": "libpod",
+ "io.kubernetes.cri-o.Created":
"2022-08-11T20:54:51.026287311+02:00",
+ "io.kubernetes.cri-o.TTY": "false",
+ "io.podman.annotations.autoremove": "FALSE",
+ "io.podman.annotations.init": "FALSE",
+ "io.podman.annotations.privileged": "FALSE",
+ "io.podman.annotations.publish-all": "FALSE",
+ "org.opencontainers.image.stopSignal": "15"
+ },
+ "StopSignal": 15,
+ "CreateCommand": [
+ "podman",
+ "run",
+ "--device",
+ "/dev/fb0",
+ "fedora"
+ ],
+ "Umask": "0022",
+ "Timeout": 0,
+ "StopTimeout": 10,
+ "Passwd": true
+ },
+ "HostConfig": {
+ "Binds": [],
+ "CgroupManager": "systemd",
+ "CgroupMode": "private",
+ "ContainerIDFile": "",
+ "LogConfig": {
+ "Type": "journald",
+ "Config": null,
+ "Path": "",
+ "Tag": "",
+ "Size": "0B"
+ },
+ "NetworkMode": "slirp4netns",
+ "PortBindings": {},
+ "RestartPolicy": {
+ "Name": "",
+ "MaximumRetryCount": 0
+ },
+ "AutoRemove": false,
+ "VolumeDriver": "",
+ "VolumesFrom": null,
+ "CapAdd": [],
+ "CapDrop": [
+ "CAP_AUDIT_WRITE",
+ "CAP_MKNOD",
+ "CAP_NET_RAW"
+ ],
+ "Dns": [],
+ "DnsOptions": [],
+ "DnsSearch": [],
+ "ExtraHosts": [],
+ "GroupAdd": [],
+ "IpcMode": "shareable",
+ "Cgroup": "",
+ "Cgroups": "default",
+ "Links": null,
+ "OomScoreAdj": 0,
+ "PidMode": "private",
+ "Privileged": false,
+ "PublishAllPorts": false,
+ "ReadonlyRootfs": false,
+ "SecurityOpt": [],
+ "Tmpfs": {},
+ "UTSMode": "private",
+ "UsernsMode": "",
+ "ShmSize": 65536000,
+ "Runtime": "oci",
+ "ConsoleSize": [
+ 0,
+ 0
+ ],
+ "Isolation": "",
+ "CpuShares": 0,
+ "Memory": 0,
+ "NanoCpus": 0,
+ "CgroupParent": "user.slice",
+ "BlkioWeight": 0,
+ "BlkioWeightDevice": null,
+ "BlkioDeviceReadBps": null,
+ "BlkioDeviceWriteBps": null,
+ "BlkioDeviceReadIOps": null,
+ "BlkioDeviceWriteIOps": null,
+ "CpuPeriod": 0,
+ "CpuQuota": 0,
+ "CpuRealtimePeriod": 0,
+ "CpuRealtimeRuntime": 0,
+ "CpusetCpus": "",
+ "CpusetMems": "",
+ "Devices": [],
+ "DiskQuota": 0,
+ "KernelMemory": 0,
+ "MemoryReservation": 0,
+ "MemorySwap": 0,
+ "MemorySwappiness": 0,
+ "OomKillDisable": false,
+ "PidsLimit": 2048,
+ "Ulimits": [],
+ "CpuCount": 0,
+ "CpuPercent": 0,
+ "IOMaximumIOps": 0,
+ "IOMaximumBandwidth": 0,
+ "CgroupConf": null
+ }
+ }
+]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/udica-0.2.7/tests/test_main.py
new/udica-0.2.8/tests/test_main.py
--- old/udica-0.2.7/tests/test_main.py 2022-06-22 13:41:06.000000000 +0200
+++ new/udica-0.2.8/tests/test_main.py 2023-11-29 10:43:34.000000000 +0100
@@ -119,7 +119,7 @@
self.assert_policy(test_file("test_basic.docker.cil"))
def test_basic_cri(self):
- """Start CRI-O mounting /var/spool with read/write perms and /home
with readonly perms"""
+ """Start CRI-O mounting /var/spool with read/write perms and /home and
/etc/hosts with readonly perms"""
output = self.run_udica(
[
"udica",
@@ -135,7 +135,7 @@
self.assert_policy(test_file("test_basic.cri.cil"))
def test_basic_specified_engine_cri(self):
- """Start CRI-O mounting /var/spool with read/write perms and /home
with readonly perms"""
+ """Start CRI-O mounting /var/spool with read/write perms and /home and
/etc/hosts with readonly perms"""
output = self.run_udica(
[
"udica",
@@ -353,6 +353,21 @@
)
self.assert_templates(output, ["base_container"])
self.assert_policy(test_file("test_devices.podman.cil"))
+
+ def test_device_access_podman(self):
+ """podman run --device /dev/fb0 fedora"""
+ output = self.run_udica(
+ [
+ "udica",
+ "-j",
+ "tests/test_devices.podman.json",
+ "--devices",
+ "/dev/fb0",
+ "my_container",
+ ]
+ )
+ self.assert_templates(output, ["base_container"])
+ self.assert_policy(test_file("test_devices.podman.cil"))
def run_udica(self, args):
with patch("sys.argv", args):
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/udica-0.2.7/udica/__main__.py
new/udica-0.2.8/udica/__main__.py
--- old/udica-0.2.7/udica/__main__.py 2022-06-22 13:41:06.000000000 +0200
+++ new/udica-0.2.8/udica/__main__.py 2023-11-29 10:43:34.000000000 +0100
@@ -100,6 +100,14 @@
default=None,
)
parser.add_argument(
+ "--devices",
+ type=str,
+ help='List of devices the container should have access to, e.g
"--devices /dev/dri/card0,/dev/dri/renderD128"',
+ dest="Devices",
+ required=False,
+ default=None,
+ )
+ parser.add_argument(
"-d",
"--ansible",
help="Generate ansible playbook to deploy SELinux policy for
containers ",
@@ -132,7 +140,6 @@
def main():
-
opts = get_args()
if opts["ContainerID"]:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/udica-0.2.7/udica/man/man8/udica.8
new/udica-0.2.8/udica/man/man8/udica.8
--- old/udica-0.2.7/udica/man/man8/udica.8 2022-06-22 13:41:06.000000000
+0200
+++ new/udica-0.2.8/udica/man/man8/udica.8 2023-11-29 10:43:34.000000000
+0100
@@ -54,6 +54,11 @@
(mandatory to use for Docker Engine, see the BUGS section)
.TP
+.I \-\-devices DEVS
+List of devices the container should have access to, e.g "\-\-devices
/dev/dri/card0,/dev/dri/renderD128"
+(overrides devices specified in the conatiner JSON)
+
+.TP
.I \-a, \-\-append-rules FILE
Append more SELinux allow rules generated from SELinux denials in audit daemon.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/udica-0.2.7/udica/policy.py
new/udica-0.2.8/udica/policy.py
--- old/udica-0.2.7/udica/policy.py 2022-06-22 13:41:06.000000000 +0200
+++ new/udica-0.2.8/udica/policy.py 2023-11-29 10:43:34.000000000 +0100
@@ -88,7 +88,6 @@
def list_ports(port_number, port_proto):
-
handle = semanage.semanage_handle_create()
semanage.semanage_connect(handle)
@@ -173,6 +172,8 @@
# devices
# Not applicable for CRI-O container engine
if inspect_format != "CRI-0":
+ if opts["Devices"]:
+ devices = [{"PathOnHost": device} for device in
opts["Devices"].split(",")]
write_policy_for_podman_devices(devices, policy)
# mounts
@@ -283,7 +284,7 @@
+ " ))) \n"
)
- for contexts in sorted(set(contexts_readonly)):
+ for context in sorted(set(contexts_readonly)):
policy.write(
" (allow process "
+ context
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/udica-0.2.7/udica/version.py
new/udica-0.2.8/udica/version.py
--- old/udica-0.2.7/udica/version.py 2022-06-22 13:41:06.000000000 +0200
+++ new/udica-0.2.8/udica/version.py 2023-11-29 10:43:34.000000000 +0100
@@ -1 +1 @@
-version = "0.2.7"
+version = "0.2.8"
