diff --git a/0099-fix-permit-dots-in-the-resource-policy-id.patch b/0099-fix-permit-dots-in-the-resource-policy-id.patch new file mode 100644 index 0000000000000000000000000000000000000000..621a672f48ed729cdeea5a218d31ba353ed4e8db --- /dev/null +++ b/0099-fix-permit-dots-in-the-resource-policy-id.patch @@ -0,0 +1,125 @@ +From ff132ef73f293a5627a4dae58417a2c571fb6674 Mon Sep 17 00:00:00 2001 +From: chenjiayi +Date: Mon, 10 Mar 2025 14:34:55 +0800 +Subject: [PATCH 1/1] fix: permit dots in the resource policy id + +The resource policy id ends with '.rego', thus dots should be allowed +when checking the legitimacy of resource policy id. +--- + .../src/resource/policy/mod.rs | 16 ++++++++++++ + .../src/resource/policy/opa/mod.rs | 25 +++++++++++++------ + 2 files changed, 33 insertions(+), 8 deletions(-) + +diff --git a/service/attestation/attestation-types/src/resource/policy/mod.rs b/service/attestation/attestation-types/src/resource/policy/mod.rs +index 6ad05dd..46f46ae 100644 +--- a/service/attestation/attestation-types/src/resource/policy/mod.rs ++++ b/service/attestation/attestation-types/src/resource/policy/mod.rs +@@ -33,6 +33,22 @@ pub struct PolicyLocation { + pub id: String, + } + ++impl PolicyLocation { ++ pub(crate) fn check_legal(&self) -> bool { ++ if let Some(v) = &self.vendor { ++ if v.contains(['.', '/']) { ++ return false; ++ } ++ } ++ ++ if self.id.contains(['/']) || !self.id.ends_with(".rego") { ++ return false; ++ } ++ ++ true ++ } ++} ++ + impl std::convert::From for String { + fn from(value: PolicyLocation) -> Self { + format!("{}", value) +diff --git a/service/attestation/attestation-types/src/resource/policy/opa/mod.rs b/service/attestation/attestation-types/src/resource/policy/opa/mod.rs +index 8e2486a..d702061 100644 +--- a/service/attestation/attestation-types/src/resource/policy/opa/mod.rs ++++ b/service/attestation/attestation-types/src/resource/policy/opa/mod.rs +@@ -16,7 +16,7 @@ use crate::resource::{ + policy::PolicyEngine, + ResourceLocation, DEFAULT_VENDOR_BASE, + }; +-use anyhow::{bail, Context}; ++use anyhow::Context; + use async_trait::async_trait; + use std::path::PathBuf; + +@@ -33,7 +33,16 @@ impl OpenPolicyAgent { + OpenPolicyAgent { base } + } + +- pub(crate) fn regular(&self, vendor: &str) -> Result { ++ pub(crate) fn regular_policy(&self, policy: &PolicyLocation) -> Result { ++ let p = policy.to_string(); ++ if !policy.check_legal() { ++ return Err(ResourceError::IllegalPolicyLocation(p)); ++ } ++ ++ Ok(self.base.join(p)) ++ } ++ ++ pub(crate) fn regular_vendor(&self, vendor: &str) -> Result { + if !Self::check_vendor_legal(vendor) { + return Err(ResourceError::IllegalVendor(vendor.to_string())); + } +@@ -48,7 +57,7 @@ impl OpenPolicyAgent { + } + + pub(crate) fn check_vendor_legal(vendor: &str) -> bool { +- if vendor.contains('.') { ++ if vendor.contains(['.', '/']) { + return false; + } + true +@@ -157,13 +166,13 @@ impl PolicyEngine for OpenPolicyAgent { + } + + async fn get_policy(&self, path: PolicyLocation) -> Result { +- let p = self.regular(&format!("{}", path))?; ++ let p = self.regular_policy(&path)?; + let raw = tokio::fs::read(p).await?; + Ok(String::from_utf8(raw)?) + } + + async fn add_policy(&self, path: PolicyLocation, policy: &str) -> Result<()> { +- let p = self.regular(&format!("{}", path))?; ++ let p = self.regular_policy(&path)?; + if let Some(parent) = p.parent() { + if let Err(e) = tokio::fs::create_dir_all(parent).await { + log::warn!( +@@ -178,7 +187,7 @@ impl PolicyEngine for OpenPolicyAgent { + } + + async fn delete_policy(&self, path: PolicyLocation) -> Result<()> { +- let p = self.regular(&format!("{}", path))?; ++ let p = self.regular_policy(&path)?; + tokio::fs::remove_file(p).await?; + Ok(()) + } +@@ -221,7 +230,7 @@ impl PolicyEngine for OpenPolicyAgent { + } + + async fn get_all_policy_in_vendor(&self, vendor: &str) -> Result> { +- let vendor_dir = self.regular(vendor)?; ++ let vendor_dir = self.regular_vendor(vendor)?; + let mut dir = tokio::fs::read_dir(vendor_dir).await?; + let mut ret: Vec = vec![]; + while let Some(d) = dir.next_entry().await? { +@@ -285,7 +294,7 @@ impl PolicyEngine for OpenPolicyAgent { + } + + async fn clear_all_policy_in_vendor(&self, vendor: &str) -> Result<()> { +- let vendor_dir = self.regular(vendor)?; ++ let vendor_dir = self.regular_vendor(vendor)?; + let md = tokio::fs::metadata(&vendor_dir) + .await + .context("fetching metadata failed")?; +-- +2.46.0 + diff --git a/secGear.spec b/secGear.spec index 72034cfa9a62e564a48a91cb4c0fcc70484bf08a..efe58e11670a81182779848507b2e0765ae0a053 100644 --- a/secGear.spec +++ b/secGear.spec @@ -1,6 +1,6 @@ Name: secGear Version: 0.1.0 -Release: 56 +Release: 57 Summary: secGear is an SDK to develop confidential computing apps based on hardware enclave features @@ -108,6 +108,7 @@ Patch94: 0095-fix-abort-binding-policies-if-any-policy-location-is.patch Patch95: 0096-fix-use-default-vendor-for-resource-policy-if-it-is-.patch Patch96: 0097-fix-fix-incorrect-error-message-when-modifying-a-non.patch Patch97: 0098-fix-avoid-clear-resource-policies-if-illegal-vendor-.patch +Patch98: 0099-fix-permit-dots-in-the-resource-policy-id.patch BuildRequires: gcc python automake autoconf libtool BUildRequires: glibc glibc-devel cmake ocaml-dune rpm gcc-c++ compat-openssl11-libs compat-openssl11-devel @@ -348,6 +349,9 @@ popd systemctl restart rsyslog %changelog +* Mon Mar 10 2025 chenjiayi - 0.1.0-57 +- fix permit dots in the resource policy id + * Tue Mar 4 2025 ExtinctFire - 0.1.0-56 - fix several bugs.