Add prefix directories in CRI-O mounts

.cirrus.yml

@@ -17,7 +17,7 @@ env:
     #### Cache-image names to test with
     ####
     # Google-cloud VM Images
-    IMAGE_SUFFIX: "c20240529t141726z-f40f39d13"
+    IMAGE_SUFFIX: "c20250131t121915z-f41f40d13"
     FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}"
 
     ####

.github/workflows/checks.yml

@@ -4,7 +4,7 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - run: sudo apt-get update -y
       - run: sudo apt-get install -y python3-pip python3-setuptools
       - run: sudo pip3 install black pyflakes
@@ -27,7 +27,7 @@ jobs:
     container:
       image: ${{ matrix.image }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - run: rpm -q python3 || dnf install --nogpgcheck -y python3
       - run: rpm -q git || dnf install --nogpgcheck -y git
       - run: python3 -m unittest -v tests/test_unit.py

udica/policy.py

@@ -106,7 +106,14 @@ def list_ports(port_number, port_proto):
 
 
 def create_policy(
-    opts, capabilities, devices, mounts, ports, append_rules, inspect_format
+    opts,
+    capabilities,
+    devices,
+    mounts,
+    ports,
+    append_rules,
+    inspect_format,
+    prefix_dir="",
 ):
     policy = open(opts["ContainerName"] + ".cil", "w")
     policy.write("(block " + opts["ContainerName"] + "\n")
@@ -178,7 +185,7 @@ def create_policy(
 
     # mounts
     if inspect_format == "CRI-O":
-        write_policy_for_crio_mounts(mounts, policy)
+        write_policy_for_crio_mounts(mounts, policy, prefix_dir)
     elif inspect_format == "containerd":
         write_policy_for_containerd_mounts(mounts, policy)
     else:
@@ -207,52 +214,53 @@ def create_policy(
     policy.close()
 
 
-def write_policy_for_crio_mounts(mounts, policy):
+def write_policy_for_crio_mounts(mounts, policy, prefix_dir=""):
     contexts = []
     contexts_readonly = []
 
     for item in mounts:
-        if item["hostPath"].startswith("/var/lib/kubelet"):
+        # Include prefix_dir in the path for Kubernetes container calls.
+        host_path = prefix_dir + item["hostPath"]
+
+        if host_path.startswith("/var/lib/kubelet"):
             # These should already have the right context
             continue
-        if item["hostPath"] == LOG_CONTAINER:
+        if host_path == LOG_CONTAINER:
             if item["readonly"]:
                 policy.write("    (blockinherit log_container)\n")
             else:
                 policy.write("    (blockinherit log_rw_container)\n")
             add_template("log_container")
             continue
 
-        if item["hostPath"] == HOME_CONTAINER:
+        if host_path == HOME_CONTAINER:
             if item["readonly"]:
                 policy.write("    (blockinherit home_container)\n")
             else:
                 policy.write("    (blockinherit home_rw_container)\n")
             add_template("home_container")
             continue
 
-        if item["hostPath"] == TMP_CONTAINER:
+        if host_path == TMP_CONTAINER:
             if item["readonly"]:
                 policy.write("    (blockinherit tmp_container)\n")
             else:
                 policy.write("    (blockinherit tmp_rw_container)\n")
             add_template("tmp_container")
             continue
 
-        if item["hostPath"] == CONFIG_CONTAINER:
+        if host_path == CONFIG_CONTAINER:
             if item["readonly"]:
                 policy.write("    (blockinherit config_container)\n")
             else:
                 policy.write("    (blockinherit config_rw_container)\n")
             add_template("config_container")
             continue
 
-        # TODO(jaosorior): Add prefix-dir to path. This way we could call this
-        # from a container in kubernetes
         if item["readonly"] is False:
-            contexts.extend(list_contexts(item["hostPath"]))
+            contexts.extend(list_contexts(host_path))
         else:
-            contexts_readonly.extend(list_contexts(item["hostPath"]))
+            contexts_readonly.extend(list_contexts(host_path))
 
     for context in sorted(set(contexts)):
         policy.write(