Clean up after adding LDX support

- Make write_policy_for_containerd_mounts more robust and remove
  write_policy_for_lxd_mounts since it is the same
- Fix formatting based on "black"

Signed-off-by: Vit Mojzis <[email protected]>

Author: vmojzis

udica/parse.py

@@ -64,14 +64,12 @@ def json_is_containerd_format(json_rep):
 
 def json_is_podman_format(json_rep):
     """Check if the inspected file is in a format from podman."""
-    return (
-        isinstance(json_rep, list)
-        and (
-            "container=oci" in json_rep[0]["Config"]["Env"]
-            or "container=podman" in json_rep[0]["Config"]["Env"]
-        )
+    return isinstance(json_rep, list) and (
+        "container=oci" in json_rep[0]["Config"]["Env"]
+        or "container=podman" in json_rep[0]["Config"]["Env"]
     )
 
+
 def json_is_lxd_format(json_rep):
     """Check if the inspected file is in a format from LXD."""
     return (
@@ -85,7 +83,7 @@ def json_is_lxd_format(json_rep):
 
 def get_engine_helper(data, ContainerEngine):
     engine = validate_container_engine(ContainerEngine)
-    
+
     if engine == "-":
         json_rep = json.loads(data)
 
@@ -273,6 +271,7 @@ def get_caps(self, data, opts):
             return opts["Caps"].split(",")
         return data[0]["Spec"]["process"]["capabilities"]["effective"]
 
+
 class LxdHelper(EngineHelper):
     def __init__(self):
         super().__init__(ENGINE_LXD)
@@ -311,7 +310,7 @@ def get_ports(self, data):
             if device["type"] == "proxy":
                 port_info = {
                     "portNumber": int(device["listen"].split(":")[-1]),
-                    "protocol": device["connect"].split(":")[0]
+                    "protocol": device["connect"].split(":")[0],
                 }
                 ports.append(port_info)
         return ports

udica/policy.py

@@ -179,10 +179,8 @@ def create_policy(
     # mounts
     if inspect_format == "CRI-O":
         write_policy_for_crio_mounts(mounts, policy)
-    elif inspect_format == "containerd":
+    elif inspect_format in ["containerd", "LXD"]:
         write_policy_for_containerd_mounts(mounts, policy)
-    elif inspect_format == "LXD":
-        write_policy_for_lxd_mounts(mounts, policy)
     else:
         write_policy_for_podman_mounts(mounts, policy)
 
@@ -465,111 +463,6 @@ def write_policy_for_containerd_mounts(mounts, policy):
     #     "nodev"
     #     ]
     # }
-    for item in sorted(mounts, key=lambda x: str(x["source"])):
-        if not item["source"].find("/"):
-            if item["source"] == LOG_CONTAINER and "ro" in item["options"]:
-                policy.write("    (blockinherit log_container)\n")
-                add_template("log_container")
-                continue
-
-            if item["source"] == LOG_CONTAINER and "ro" not in item["options"]:
-                policy.write("    (blockinherit log_rw_container)\n")
-                add_template("log_container")
-                continue
-
-            if item["source"] == HOME_CONTAINER and "ro" in item["options"]:
-                policy.write("    (blockinherit home_container)\n")
-                add_template("home_container")
-                continue
-
-            if item["source"] == HOME_CONTAINER and "ro" not in item["options"]:
-                policy.write("    (blockinherit home_rw_container)\n")
-                add_template("home_container")
-                continue
-
-            if item["source"] == TMP_CONTAINER and "ro" in item["options"]:
-                policy.write("    (blockinherit tmp_container)\n")
-                add_template("tmp_container")
-                continue
-
-            if item["source"] == TMP_CONTAINER and "ro" not in item["options"]:
-                policy.write("    (blockinherit tmp_rw_container)\n")
-                add_template("tmp_container")
-                continue
-
-            if item["source"] == CONFIG_CONTAINER and "ro" in item["options"]:
-                policy.write("    (blockinherit config_container)\n")
-                add_template("config_container")
-                continue
-
-            if item["source"] == CONFIG_CONTAINER and "ro" not in item["options"]:
-                policy.write("    (blockinherit config_rw_container)\n")
-                add_template("config_container")
-                continue
-
-            contexts = list_contexts(item["source"])
-            for context in contexts:
-                if "ro" not in item["options"]:
-                    policy.write(
-                        "    (allow process "
-                        + context
-                        + " ( dir ( "
-                        + perms.perm["dir_rw"]
-                        + " ))) \n"
-                    )
-                    policy.write(
-                        "    (allow process "
-                        + context
-                        + " ( file ( "
-                        + perms.perm["file_rw"]
-                        + " ))) \n"
-                    )
-                    policy.write(
-                        "    (allow process "
-                        + context
-                        + " ( fifo_file ( "
-                        + perms.perm["fifo_rw"]
-                        + " ))) \n"
-                    )
-                    policy.write(
-                        "    (allow process "
-                        + context
-                        + " ( sock_file ( "
-                        + perms.perm["socket_rw"]
-                        + " ))) \n"
-                    )
-                if "ro" in item["options"]:
-                    policy.write(
-                        "    (allow process "
-                        + context
-                        + " ( dir ( "
-                        + perms.perm["dir_ro"]
-                        + " ))) \n"
-                    )
-                    policy.write(
-                        "    (allow process "
-                        + context
-                        + " ( file ( "
-                        + perms.perm["file_ro"]
-                        + " ))) \n"
-                    )
-                    policy.write(
-                        "    (allow process "
-                        + context
-                        + " ( fifo_file ( "
-                        + perms.perm["fifo_ro"]
-                        + " ))) \n"
-                    )
-                    policy.write(
-                        "    (allow process "
-                        + context
-                        + " ( sock_file ( "
-                        + perms.perm["socket_ro"]
-                        + " ))) \n"
-                    )
-
-
-def write_policy_for_lxd_mounts(mounts, policy):
     for item in sorted(mounts, key=lambda x: str(x["source"])):
         if not item["source"].find("/"):
             if item["source"] == LOG_CONTAINER and "ro" in item.get("options", []):
@@ -607,7 +500,9 @@ def write_policy_for_lxd_mounts(mounts, policy):
                 add_template("config_container")
                 continue
 
-            if item["source"] == CONFIG_CONTAINER and "ro" not in item.get("options", []):
+            if item["source"] == CONFIG_CONTAINER and "ro" not in item.get(
+                "options", []
+            ):
                 policy.write("    (blockinherit config_rw_container)\n")
                 add_template("config_container")
                 continue