microsoft · jiria · Apr 15, 2024 · Apr 16, 2024 · Apr 12, 2024 · Apr 15, 2024
@@ -0,0 +1,5 @@
+# By default, all files require review by members of these teams
+* @microsoft/kata-cc-devs @microsoft/kata-cc-admins
+
+# Modifications to this file require admin approval
+/.github/CODEOWNERS @microsoft/kata-cc-admins
@@ -0,0 +1,11 @@
+###### Merge Checklist  <!-- REQUIRED -->
+- [ ] Followed patch format from upstream recommendation: https://github.com/kata-containers/community/blob/main/CONTRIBUTING.md#patch-format
+  - [ ] Included a single commit in a given PR - at least unless there are related commits and each makes sense as a change on its own.
+- [ ] Aware about the PR to be merged using "create a merge commit" rather than "squash and merge" (or similar)
+- [ ] The `upstream/missing` label (or `upstream/not-needed`) has been set on the PR. 
+
+###### Summary <!-- REQUIRED -->
+<!-- Quick explanation of WHAT changed and WHY. -->
+
+###### Test Methodology
+<!-- How was this test validated? i.e. local build, pipeline build etc. -->
@@ -33,6 +33,7 @@ jobs:
           - cloud-hypervisor
           - cloud-hypervisor-glibc
           - firecracker
+          - genpolicy
           - kata-ctl
           - kernel
           - kernel-sev

@@ -0,0 +1,49 @@
+# Copyright (c) Microsoft Corporation.
+
+name: Check policy samples
+
+on:
+  pull_request:
+
+jobs:
+  check-policy-samples:
+    runs-on: ubuntu-latest
+
+    steps:
+
+    - name: Check out code
+      uses: actions/checkout@v4
+
+    - name: Install yq
+      env:
+        INSTALL_IN_GOPATH: false
+      run: |
+        ./ci/install_yq.sh
+
+    - name: Install Rust
+      run: |
+        ./tests/install_rust.sh
+        echo "${HOME}/.cargo/bin" >> $GITHUB_PATH
+
+    - name: Install protobuf-compiler
+      run: |
+        sudo apt-get -y install protobuf-compiler
+
+    - name: Configure containerd
+      run: |
+        sudo containerd config default | sudo dd of=/etc/containerd/config.toml
+        sudo systemctl restart containerd
+        sudo systemctl is-active containerd
+
+    - name: Update policy samples
+      working-directory: ./src/tools/genpolicy
+      run: |
+        python3 update_policy_samples.py
+
+    - name: Show diff
+      run: |
+        git diff
+
+    - name: Check policy samples
+      run: |
+        git diff-files --exit-code
@@ -86,17 +86,6 @@ jobs:
         error: 'Body line too long (max 150)'
         post_error: ${{ env.error_msg }}
 
-    - name: Check Fixes
-      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && ( success() || failure() ) }}
-      uses: tim-actions/commit-message-checker-with-regex@v0.3.1
-      with:
-        commits: ${{ steps.get-pr-commits.outputs.commits }}
-        pattern: '\s*Fixes\s*:?\s*(#\d+|github\.com\/kata-containers\/[a-z-.]*#\d+)|^\s*release\s*:'
-        flags: 'i'
-        error: 'No "Fixes" found'
-        post_error: ${{ env.error_msg }}
-        one_pass_all_pass: 'true'
-
     - name: Check Subsystem
       if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && ( success() || failure() ) }}
       uses: tim-actions/commit-message-checker-with-regex@v0.3.1

@@ -62,11 +62,10 @@ jobs:
             grep -v "^\#"  |\
             cut -d';' -f3 || true)
 
-          # PR doesn't have any linked issues
-          # (it should, but maybe a new user forgot to add a "Fixes: #XXX" commit).
+          # PR doesn't have any linked issues, handle it only if it exists
           [ -z "$linked_issue_urls" ] && {
-            echo "::error::No linked issues for PR $pr"
-            exit 1
+            echo "::warning::No linked issues for PR $pr"
+            exit 0
           }
 
           project_name="Issue backlog"

@@ -49,6 +49,7 @@ jobs:
           - log-parser-rs
           - runk
           - trace-forwarder
+          - genpolicy
         command:
           - "make vendor"
           - "make check"
@@ -78,6 +79,8 @@ jobs:
             install-libseccomp: yes
           - component: runk
             install-libseccomp: yes
+          - component: genpolicy
+            component-path: src/tools/genpolicy
     steps:
       - name: Checkout the code
         uses: actions/checkout@v4
@@ -98,9 +101,15 @@ jobs:
         run: |
           ./tests/install_rust.sh
           echo "${HOME}/.cargo/bin" >> $GITHUB_PATH
+      - name: Install protobuf-compiler
+        if: ${{ matrix.command == 'make check' && matrix.component == 'genpolicy' }}
+        run: sudo apt-get -y install protobuf-compiler
       - name: Install musl-tools
         if: ${{ matrix.component != 'runtime' }}
         run: sudo apt-get -y install musl-tools
+      - name: Install devicemapper
+        if: ${{ (matrix.command == 'make check' || matrix.command == 'make test') && matrix.component == 'agent' }}
+        run: sudo apt-get -y install libdevmapper-dev
       - name: Install libseccomp
         if: ${{ matrix.command != 'make vendor'  &&  matrix.command != 'make check' &&  matrix.install-libseccomp == 'yes' }}
         run: |

@@ -15,3 +15,24 @@ src/agent/protocols/src/*.rs
 !src/agent/protocols/src/lib.rs
 build
 src/tools/log-parser/kata-log-parser
+
+# Microsoft-specific
+.cargo/
+vendor/
+src/agent/samples/policy/test-input/
+src/tarfs/**/*.cmd
+src/tarfs/**/*.ko
+src/tarfs/**/*.mod
+src/tarfs/**/*.mod.c
+src/tarfs/**/*.o
+src/tarfs/**/modules.order
+src/tarfs/**/Module.symvers
+src/tarfs-cvm/
+tools/osbuilder/kata-containers-igvm.img
+tools/osbuilder/kata-containers-igvm-debug.img
+tools/osbuilder/igvm-debug-measurement.cose
+tools/osbuilder/igvm-measurement.cose
+tools/osbuilder/root_hash.txt
+tools/osbuilder/igvm.log
+tools/osbuilder/kata-opa.service
+tools/osbuilder/rootfs-builder/opa/
@@ -11,6 +11,10 @@ COMPONENTS += agent
 COMPONENTS += dragonball
 COMPONENTS += runtime
 COMPONENTS += runtime-rs
+COMPONENTS += tarfs
+COMPONENTS += tardev-snapshotter
+COMPONENTS += overlay
+COMPONENTS += utarfs
 
 # List of available tools
 TOOLS =

@@ -0,0 +1,41 @@
+<!-- BEGIN MICROSOFT SECURITY.MD V0.0.9 BLOCK -->
+
+## Security
+
+Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/Microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet) and [Xamarin](https://github.com/xamarin).
+
+If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/security.md/definition), please report it to us as described below.
+
+## Reporting Security Issues
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/security.md/msrc/create-report).
+
+If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com).  If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/security.md/msrc/pgp).
+
+You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://www.microsoft.com/msrc). 
+
+Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
+
+  * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
+  * Full paths of source file(s) related to the manifestation of the issue
+  * The location of the affected source code (tag/branch/commit or direct URL)
+  * Any special configuration required to reproduce the issue
+  * Step-by-step instructions to reproduce the issue
+  * Proof-of-concept or exploit code (if possible)
+  * Impact of the issue, including how an attacker might exploit the issue
+
+This information will help us triage your report more quickly.
+
+If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/security.md/msrc/bounty) page for more details about our active programs.
+
+## Preferred Languages
+
+We prefer all communications to be in English.
+
+## Policy
+
+Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/security.md/cvd).
+
+<!-- END MICROSOFT SECURITY.MD BLOCK -->
@@ -46,4 +46,6 @@
 - [How to run Kata Containers with AMD SEV-SNP](how-to-run-kata-containers-with-SNP-VMs.md)
 - [How to use EROFS to build rootfs in Kata Containers](how-to-use-erofs-build-rootfs.md)
 - [How to run Kata Containers with kinds of Block Volumes](how-to-run-kata-containers-with-kinds-of-Block-Volumes.md)
-- [How to use the Kata Agent Policy](how-to-use-the-kata-agent-policy.md)
+
+## Confidential Containers
+- [How to use the Kata Agent Policy](how-to-use-the-kata-agent-policy.md)