diff --git a/src/confcom/HISTORY.rst b/src/confcom/HISTORY.rst index 30bae35cc27..6b373c19eed 100644 --- a/src/confcom/HISTORY.rst +++ b/src/confcom/HISTORY.rst @@ -3,6 +3,11 @@ Release History =============== +2.0.0b1 ++++++ +* Add Windows container support with CIM-based layer hashing +* Support for mounted_cim field in security policies for Windows containers + 1.8.0 +++++ * Ensure that fragments are attached to the correct manifest for a multiarch image. diff --git a/src/confcom/README.md b/src/confcom/README.md index fa5e8d19f87..43aa92a82b9 100644 --- a/src/confcom/README.md +++ b/src/confcom/README.md @@ -29,6 +29,9 @@ ``` - Windows: [Docker Desktop](https://www.docker.com/products/docker-desktop) and [WSL2](https://docs.microsoft.com/en-us/windows/wsl/install) +- **CimWriter.dll** (Windows only, for Windows container support) + - Required for generating security policies for Windows containers + - Windows Server 2025 or newer is recommended for deterministic hash generation ## Installation Instructions (End User) diff --git a/src/confcom/azext_confcom/README.md b/src/confcom/azext_confcom/README.md index eb4c33725fb..aa132e91880 100644 --- a/src/confcom/azext_confcom/README.md +++ b/src/confcom/azext_confcom/README.md @@ -399,7 +399,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.1.0" fragments := [...] @@ -432,6 +432,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} ``` diff --git a/src/confcom/azext_confcom/_help.py b/src/confcom/azext_confcom/_help.py index 031f439e004..ef2d2f3e08f 100644 --- a/src/confcom/azext_confcom/_help.py +++ b/src/confcom/azext_confcom/_help.py @@ -340,7 +340,7 @@ parameters: - name: --platform type: str - short-summary: 'The name of the platform the container definition will run on' + short-summary: 'The name of the platform the container definition will run on. Must be either "aci" or "vn2".' examples: diff --git a/src/confcom/azext_confcom/azext_metadata.json b/src/confcom/azext_confcom/azext_metadata.json index 906e368a65c..316f36c41c2 100644 --- a/src/confcom/azext_confcom/azext_metadata.json +++ b/src/confcom/azext_confcom/azext_metadata.json @@ -1,3 +1,4 @@ { - "azext.minCliCoreVersion": "2.26.2" -} \ No newline at end of file + "azext.minCliCoreVersion": "2.26.2", + "azext.isPreview": true +} diff --git a/src/confcom/azext_confcom/command/containers_from_image.py b/src/confcom/azext_confcom/command/containers_from_image.py index 72560a5317b..7b488d23c10 100644 --- a/src/confcom/azext_confcom/command/containers_from_image.py +++ b/src/confcom/azext_confcom/command/containers_from_image.py @@ -8,5 +8,5 @@ from azext_confcom.lib.containers import from_image as lib_containers_from_image -def containers_from_image(image: str, platform: str) -> None: - print(json.dumps(lib_containers_from_image(image, platform))) +def containers_from_image(image: str, aci_or_vn2: str) -> None: + print(json.dumps(lib_containers_from_image(image, aci_or_vn2))) diff --git a/src/confcom/azext_confcom/command/containers_from_vn2.py b/src/confcom/azext_confcom/command/containers_from_vn2.py index 1d4998b8183..4a0c657939c 100644 --- a/src/confcom/azext_confcom/command/containers_from_vn2.py +++ b/src/confcom/azext_confcom/command/containers_from_vn2.py @@ -192,7 +192,7 @@ def containers_from_vn2( container_defs = [] for template_container, template_doc in template_containers: - image_container_def = container_from_image(template_container.get("image"), platform="vn2") + image_container_def = container_from_image(template_container.get("image"), aci_or_vn2="vn2") template_container_def = { "name": template_container.get("name"), diff --git a/src/confcom/azext_confcom/config.py b/src/confcom/azext_confcom/config.py index 7726d5c139b..664c93f4b95 100644 --- a/src/confcom/azext_confcom/config.py +++ b/src/confcom/azext_confcom/config.py @@ -127,6 +127,7 @@ POLICY_FIELD_CONTAINERS_ELEMENTS_ENVS_RULE = "pattern" POLICY_FIELD_CONTAINERS_ELEMENTS_REQUIRED = "required" POLICY_FIELD_CONTAINERS_ELEMENTS_LAYERS = "layers" +POLICY_FIELD_CONTAINERS_ELEMENTS_MOUNTED_CIM = "mounted_cim" POLICY_FIELD_CONTAINERS_ELEMENTS_WORKINGDIR = "working_dir" POLICY_FIELD_CONTAINERS_ELEMENTS_MOUNTS = "mounts" POLICY_FIELD_CONTAINERS_ELEMENTS_MOUNTS_SOURCE = "source" @@ -211,6 +212,7 @@ DEFAULT_REGO_FRAGMENTS = _config["default_rego_fragments"] # things that need to be set for debug mode DEBUG_MODE_SETTINGS = _config["debugMode"] +DEBUG_MODE_SETTINGS_WINDOWS = _config["debugModeWindows"] # reserved fragment names for existing pieces of Rego RESERVED_FRAGMENT_NAMES = _config["reserved_fragment_namespaces"] # fragment artifact type @@ -227,6 +229,7 @@ } """ CUSTOMER_REGO_POLICY = load_str_from_file(REGO_FILE_PATH) +CUSTOMER_REGO_POLICY_WINDOWS = load_str_from_file(f"{script_directory}/data/customer_rego_policy_windows.txt") CUSTOMER_REGO_FRAGMENT = load_str_from_file(REGO_FRAGMENT_FILE_PATH) # sidecar rego file SIDECAR_REGO_FILE = "./data/sidecar_rego_policy.txt" diff --git a/src/confcom/azext_confcom/container.py b/src/confcom/azext_confcom/container.py index fcdc063f33b..c38ca6b4e20 100644 --- a/src/confcom/azext_confcom/container.py +++ b/src/confcom/azext_confcom/container.py @@ -563,6 +563,7 @@ def from_json( mounts=mounts, allow_elevated=allow_elevated, extraEnvironmentRules=[], + platform=container_json["platform"], execProcesses=exec_processes, signals=signals, user=user, @@ -583,6 +584,7 @@ def __init__( allow_elevated: bool, id_val: str, extraEnvironmentRules: Dict, + platform: str = "linux/amd64", entrypoint: List[str] = None, capabilities: Dict = copy.deepcopy(_CAPABILITIES), user: Dict = copy.deepcopy(_DEFAULT_USER), @@ -604,6 +606,7 @@ def __init__( self._command = command self._workingDir = workingDir self._layers = [] + self._mounted_cim = [] self._mounts = mounts self._allow_elevated = allow_elevated self._allow_stdio_access = allowStdioAccess @@ -615,6 +618,7 @@ def __init__( self._exec_processes = execProcesses or [] self._signals = signals or [] self._extraEnvironmentRules = extraEnvironmentRules + self._platform = platform def get_policy_json(self, omit_id: bool = False) -> str: return self._populate_policy_json_elements(omit_id=omit_id) @@ -658,6 +662,12 @@ def get_layers(self) -> List[str]: def set_layers(self, layers: List[str]) -> None: self._layers = layers + def get_mounted_cim(self) -> List[str]: + return self._mounted_cim + + def set_mounted_cim(self, mounted_cim: List[str]) -> None: + self._mounted_cim = mounted_cim + def get_user(self) -> Dict: return self._user @@ -764,16 +774,28 @@ def _populate_policy_json_elements(self, omit_id: bool = False) -> Dict[str, Any config.POLICY_FIELD_CONTAINERS_ELEMENTS_ENVS: self._get_environment_rules(), config.POLICY_FIELD_CONTAINERS_ELEMENTS_WORKINGDIR: self._workingDir, config.POLICY_FIELD_CONTAINERS_ELEMENTS_MOUNTS: self._get_mounts_json(), - config.POLICY_FIELD_CONTAINERS_ELEMENTS_ALLOW_ELEVATED: self._allow_elevated, config.POLICY_FIELD_CONTAINERS_ELEMENTS_EXEC_PROCESSES: self._exec_processes, config.POLICY_FIELD_CONTAINERS_ELEMENTS_SIGNAL_CONTAINER_PROCESSES: self._signals, - config.POLICY_FIELD_CONTAINERS_ELEMENTS_USER: self.get_user(), - config.POLICY_FIELD_CONTAINERS_ELEMENTS_CAPABILITIES: self._capabilities, - config.POLICY_FIELD_CONTAINERS_ELEMENTS_SECCOMP_PROFILE_SHA256: self._seccomp_profile_sha256, config.POLICY_FIELD_CONTAINERS_ELEMENTS_ALLOW_STDIO_ACCESS: self._allow_stdio_access, - config.POLICY_FIELD_CONTAINERS_ELEMENTS_NO_NEW_PRIVILEGES: not self._allow_privilege_escalation } + if self._platform.startswith("linux"): + elements.update({ + config.POLICY_FIELD_CONTAINERS_ELEMENTS_CAPABILITIES: self._capabilities, + config.POLICY_FIELD_CONTAINERS_ELEMENTS_SECCOMP_PROFILE_SHA256: self._seccomp_profile_sha256, + config.POLICY_FIELD_CONTAINERS_ELEMENTS_USER: self.get_user(), + config.POLICY_FIELD_CONTAINERS_ELEMENTS_ALLOW_ELEVATED: self._allow_elevated, + config.POLICY_FIELD_CONTAINERS_ELEMENTS_NO_NEW_PRIVILEGES: not self._allow_privilege_escalation, + }) + elif self._platform.startswith("windows"): + elements.update({ + config.POLICY_FIELD_CONTAINERS_ELEMENTS_USER: self.get_user()["user_idname"]["pattern"], + }) + # Add mounted_cim for Windows if present + if self._mounted_cim: + elements[config.POLICY_FIELD_CONTAINERS_ELEMENTS_MOUNTED_CIM] = self._mounted_cim + + if not omit_id: elements[config.POLICY_FIELD_CONTAINERS_ID] = self._identifier # if we are omitting the id, we should remove the id value from the policy if it's in the name field @@ -793,13 +815,14 @@ def from_json( image.__class__ = UserContainerImage # inject default mounts for user container if (image.base not in config.BASELINE_SIDECAR_CONTAINERS) and (not is_vn2): - image.get_mounts().extend(_DEFAULT_MOUNTS) + if container_json["platform"].startswith("linux"): + image.get_mounts().extend(_DEFAULT_MOUNTS) if (image.base not in config.BASELINE_SIDECAR_CONTAINERS) and (is_vn2): image.get_mounts().extend(_DEFAULT_MOUNTS_VN2) # Start with the customer environment rules - env_rules = copy.deepcopy(_INJECTED_CUSTOMER_ENV_RULES) + env_rules = copy.deepcopy(_INJECTED_CUSTOMER_ENV_RULES) if container_json["platform"].startswith("linux") else dict() # If is_vn2, add the VN2 environment rules if is_vn2: env_rules += _INJECTED_SERVICE_VN2_ENV_RULES diff --git a/src/confcom/azext_confcom/custom.py b/src/confcom/azext_confcom/custom.py index ff2b03f6b6e..0e6e03dcc20 100644 --- a/src/confcom/azext_confcom/custom.py +++ b/src/confcom/azext_confcom/custom.py @@ -193,7 +193,6 @@ def acipolicygen_confcom( policy.set_fragment_contents(fragment_policy_list) for count, policy in enumerate(container_group_policies): - # this is where parameters and variables are populated policy.populate_policy_content_for_all_images( individual_image=bool(image_name), tar_mapping=tar_mapping, faster_hashing=faster_hashing ) @@ -581,7 +580,7 @@ def containers_from_image( ) -> None: _containers_from_image( image=image, - platform=platform, + aci_or_vn2=platform, ) diff --git a/src/confcom/azext_confcom/data/README b/src/confcom/azext_confcom/data/README new file mode 100644 index 00000000000..bd324ae2744 --- /dev/null +++ b/src/confcom/azext_confcom/data/README @@ -0,0 +1 @@ +internal_config.json and customer_rego_policy.txt are used by the "old style" acipolicygen command. New work should (also) happen in src/confcom/azext_confcom/lib/policy.py (or ensure that it is implemented for `containers from_image`), as eventually the old command will invoke that. diff --git a/src/confcom/azext_confcom/data/customer_rego_policy.txt b/src/confcom/azext_confcom/data/customer_rego_policy.txt index d3b891c04b0..56b1ef7fbcd 100644 --- a/src/confcom/azext_confcom/data/customer_rego_policy.txt +++ b/src/confcom/azext_confcom/data/customer_rego_policy.txt @@ -34,5 +34,6 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} \ No newline at end of file diff --git a/src/confcom/azext_confcom/data/customer_rego_policy_windows.txt b/src/confcom/azext_confcom/data/customer_rego_policy_windows.txt new file mode 100644 index 00000000000..f0b3bb7bcad --- /dev/null +++ b/src/confcom/azext_confcom/data/customer_rego_policy_windows.txt @@ -0,0 +1,30 @@ +package policy + +import future.keywords.every +import future.keywords.in + +api_version := %s +framework_version := "0.4.1" + +fragments := %s + +containers := %s + +allow_properties_access := %s +allow_dump_stacks := %s +allow_runtime_logging := %s +allow_environment_variable_dropping := %s + +create_container := data.framework.create_container +exec_in_container := data.framework.exec_in_container +exec_external := data.framework.exec_external +shutdown_container := data.framework.shutdown_container +signal_container_process := data.framework.signal_container_process +get_properties := data.framework.get_properties +dump_stacks := data.framework.dump_stacks +runtime_logging := data.framework.runtime_logging +load_fragment := data.framework.load_fragment +scratch_mount := data.framework.scratch_mount +mount_cims := data.framework.mount_cims + +reason := {"errors": data.framework.errors} \ No newline at end of file diff --git a/src/confcom/azext_confcom/data/internal_config.json b/src/confcom/azext_confcom/data/internal_config.json index 9a87356e721..9df4fbcd70e 100644 --- a/src/confcom/azext_confcom/data/internal_config.json +++ b/src/confcom/azext_confcom/data/internal_config.json @@ -4,7 +4,7 @@ "maxVersion": "1.0.0", "minVersion": "0.0.1" }, - "version_api": "0.10.0", + "version_api": "0.11.0", "openGCS": { "environmentVariables": [ { @@ -193,6 +193,29 @@ "allowCapabilityDropping": true, "allowUnencryptedScratch": false }, + "debugModeWindows": { + "environmentVariables": [ + { + "name": ".+", + "value": ".+", + "strategy": "re2", + "required": false + } + ], + "execProcesses": [ + { + "command": [ + "cmd.exe" + ], + "signals": [], + "allow_stdio_access": true + } + ], + "allowPropertiesAccess": true, + "allowDumpStacks": true, + "allowRuntimeLogging": true, + "allowEnvironmentVariableDropping": true + }, "containerd": { "defaultWorkingDir": "/" }, diff --git a/src/confcom/azext_confcom/docs/policy_enforcement_points.md b/src/confcom/azext_confcom/docs/policy_enforcement_points.md index 9ce26f93b4a..52195b8717b 100644 --- a/src/confcom/azext_confcom/docs/policy_enforcement_points.md +++ b/src/confcom/azext_confcom/docs/policy_enforcement_points.md @@ -38,7 +38,7 @@ package mypolicy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.1.0" fragments := [...] @@ -71,6 +71,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} ``` diff --git a/src/confcom/azext_confcom/lib/containers.py b/src/confcom/azext_confcom/lib/containers.py index 4a0523ff3f0..f4ed12b7906 100644 --- a/src/confcom/azext_confcom/lib/containers.py +++ b/src/confcom/azext_confcom/lib/containers.py @@ -3,8 +3,9 @@ # Licensed under the MIT License. See License.txt in the project root for license information. # -------------------------------------------------------------------------------------------- +from typing import Optional from dataclasses import asdict -from azext_confcom.lib.images import get_image_layers, get_image_config +from azext_confcom.lib.images import get_image_layers, get_image_config, get_image_platform from azext_confcom.lib.platform import ACI_MOUNTS, VN2_MOUNTS @@ -35,17 +36,20 @@ def merge_containers(*args) -> dict: return merged_container -def from_image(image: str, platform: str) -> dict: +def from_image(image: str, aci_or_vn2: str) -> dict: mounts = { "aci": [asdict(mount) for mount in ACI_MOUNTS], "vn2": VN2_MOUNTS, - }.get(platform, None) + }.get(aci_or_vn2, None) + + image_platform = get_image_platform(image) return { "id": image, "name": image, - "layers": get_image_layers(image), + "layers": get_image_layers(image, platform=image_platform), + "platform": image_platform, **({"mounts": mounts} if mounts else {}), **get_image_config(image), } diff --git a/src/confcom/azext_confcom/lib/defaults.py b/src/confcom/azext_confcom/lib/defaults.py new file mode 100644 index 00000000000..6cba801f1e4 --- /dev/null +++ b/src/confcom/azext_confcom/lib/defaults.py @@ -0,0 +1,13 @@ +from azext_confcom import config + +def get_debug_mode_exec_procs(debug_mode: bool, platform: str) -> list: + + if not debug_mode: + return [] + + if platform.startswith("linux"): + return config.DEBUG_MODE_SETTINGS.get(config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES) + elif platform.startswith("windows"): + return config.DEBUG_MODE_SETTINGS_WINDOWS.get(config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES) + else: + raise ValueError(f"Unsupported platform for debug mode settings: {platform}") diff --git a/src/confcom/azext_confcom/lib/images.py b/src/confcom/azext_confcom/lib/images.py index 810c12ae259..d72d963fd30 100644 --- a/src/confcom/azext_confcom/lib/images.py +++ b/src/confcom/azext_confcom/lib/images.py @@ -13,6 +13,26 @@ logger = logging.getLogger(__name__) +SUPPORTED_PLATFORMS = [ + "linux/amd64", + "windows/amd64", +] + + +@functools.lru_cache() +def pull_image(image_reference: str) -> docker.models.images.Image: + client = docker.from_env() + + for platform in SUPPORTED_PLATFORMS: + try: + image = client.images.pull(image_reference, platform=platform) + return image + except (docker.errors.ImageNotFound, docker.errors.NotFound): + continue + + raise ValueError(f"Image '{image_reference}' not found for any supported platform: {SUPPORTED_PLATFORMS}") + + @functools.lru_cache() def get_image(image_ref: str) -> docker.models.images.Image: @@ -27,13 +47,26 @@ def get_image(image_ref: str) -> docker.models.images.Image: return image -def get_image_layers(image: str) -> list[str]: +def get_image_platform(image_reference: str) -> str: + return "/".join([ + pull_image(image_reference).attrs['Os'], + pull_image(image_reference).attrs['Architecture'] + ]) + + +def get_image_layers(image: str, platform: str = "linux/amd64") -> list[str]: binary_path = Path(__file__).parent.parent / "bin" / "dmverity-vhd" get_image(image) + + arg_list = [binary_path.as_posix(), "-d", "roothash", "-i", image] + + if platform: + arg_list += ["--platform", platform] + result = subprocess.run( - [binary_path.as_posix(), "-d", "roothash", "-i", image], + arg_list, stdout=subprocess.PIPE, stderr=subprocess.DEVNULL, check=True, diff --git a/src/confcom/azext_confcom/lib/policy.py b/src/confcom/azext_confcom/lib/policy.py index 748ed55d0ff..2de1610dc00 100644 --- a/src/confcom/azext_confcom/lib/policy.py +++ b/src/confcom/azext_confcom/lib/policy.py @@ -106,7 +106,7 @@ class Container: @dataclass class Policy: package: str = "policy" - api_version: str = "0.10.0" + api_version: str = "0.11.0" framework_version: str = "0.2.3" fragments: List[FragmentReference] = OrderlessField(default_factory=list) containers: List[Container] = OrderlessField(default_factory=list) diff --git a/src/confcom/azext_confcom/lib/serialization.py b/src/confcom/azext_confcom/lib/serialization.py index 7702bfef8ba..7e41cff884b 100644 --- a/src/confcom/azext_confcom/lib/serialization.py +++ b/src/confcom/azext_confcom/lib/serialization.py @@ -53,6 +53,7 @@ def policy_serialize(policy: Union[Policy, Fragment]): load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {{"errors": data.framework.errors}} """) diff --git a/src/confcom/azext_confcom/rootfs_proxy.py b/src/confcom/azext_confcom/rootfs_proxy.py index f41dbd8f008..f2b93d77c3d 100644 --- a/src/confcom/azext_confcom/rootfs_proxy.py +++ b/src/confcom/azext_confcom/rootfs_proxy.py @@ -5,12 +5,13 @@ import hashlib +import json import os import platform import stat import subprocess import sys -from typing import List +from typing import List, Dict import requests from azext_confcom.errors import eprint @@ -27,13 +28,13 @@ _dmverity_vhd_binaries = { "Linux": { "path": _binaries_dir / "dmverity-vhd", - "url": "https://github.com/microsoft/integrity-vhd/releases/download/v1.6/dmverity-vhd", - "sha256": "b8cf3fa3594e48070a31aa538d5b4b40d5b33b8ac18bc25a1816245159648fb0", + "url": "https://github.com/microsoft/integrity-vhd/releases/download/v2.0/dmverity-vhd", + "sha256": "e7ad858fef018acd7d8a4ccb74f1b7a9cc1b3d6db5a7f8da5a259f71b26c12ea", }, "Windows": { "path": _binaries_dir / "dmverity-vhd.exe", - "url": "https://github.com/microsoft/integrity-vhd/releases/download/v1.6/dmverity-vhd.exe", - "sha256": "ca0f95d798323f3ef26feb036112be9019f5ceaa6233ee2a65218d5a143ae474", + "url": "https://github.com/microsoft/integrity-vhd/releases/download/v2.0/dmverity-vhd.exe", + "sha256": "6ef425c4bd07739d9cc90e57488985c1fca41f8d106fc816123b95b6305ee0af", }, } @@ -88,9 +89,10 @@ def get_policy_image_layers( self, image: str, tag: str, + platform: str = "linux/amd64", tar_location: str = "", faster_hashing=False - ) -> List[str]: + ) -> Dict[str, List[str]]: image_name = f"{image}:{tag}" # populate layer info if self.layer_cache.get(image_name): @@ -115,13 +117,16 @@ def get_policy_image_layers( # add the image to the end of the parameter list arg_list += ["roothash", "-i", f"{image_name}"] + if platform.startswith("windows"): + arg_list += ["--platform", platform] + item = subprocess.run( arg_list, capture_output=True, check=False, ) - output = [] + result = {} if item.returncode != 0: if item.stderr.decode("utf-8") != "" and item.stderr.decode("utf-8") is not None: logger.warning(item.stderr.decode("utf-8")) @@ -133,13 +138,29 @@ def get_policy_image_layers( ) sys.exit(item.returncode) elif len(item.stdout) > 0: - output = item.stdout.decode("utf8").strip("\n").split("\n") - output = [i.split(": ", 1)[1] for i in output if len(i.split(": ", 1)) > 1] + stdout_str = item.stdout.decode("utf8").strip() + + # Try parsing as JSON (both Linux and Windows now output JSON) + if stdout_str.startswith("{"): + try: + json_output = json.loads(stdout_str) + result["layers"] = json_output.get("layers", []) + # mounted_cim is only present for Windows + if "mounted_cim" in json_output: + result["mounted_cim"] = json_output["mounted_cim"] + except json.JSONDecodeError as e: + logger.error(f"Failed to parse JSON output: {e}") + sys.exit(1) + else: + # Fallback: line-by-line parsing for older dmverity-vhd versions + lines = stdout_str.split("\n") + layers = [i.split(": ", 1)[1] for i in lines if len(i.split(": ", 1)) > 1] + result["layers"] = layers else: eprint( "Could not get layer hashes" ) - # cache output layers - self.layer_cache[image_name] = output - return output + # cache output + self.layer_cache[image_name] = result + return result diff --git a/src/confcom/azext_confcom/sample_policy.md b/src/confcom/azext_confcom/sample_policy.md index a2d9c6032e8..79001b4a6ab 100644 --- a/src/confcom/azext_confcom/sample_policy.md +++ b/src/confcom/azext_confcom/sample_policy.md @@ -103,6 +103,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/azext_confcom/security_policy.py b/src/confcom/azext_confcom/security_policy.py index bbecbf528b2..cc7341c123d 100644 --- a/src/confcom/azext_confcom/security_policy.py +++ b/src/confcom/azext_confcom/security_policy.py @@ -41,7 +41,10 @@ process_fragment_imports, process_mounts, process_mounts_from_config, - readable_diff) + readable_diff, + find_value_in_params_and_vars) +from azext_confcom.lib.images import get_image_platform +from azext_confcom.lib.defaults import get_debug_mode_exec_procs from knack.log import get_logger from tqdm import tqdm @@ -70,6 +73,7 @@ def __init__( container_definitions: Optional[list] = None, ) -> None: self._rootfs_proxy = None + self._platform = None self._policy_str = None self._policy_str_pp = None self._disable_stdio = disable_stdio @@ -141,6 +145,13 @@ def __init__( # parse and generate each container, either user or sidecar for c in containers: + + image_platform = c.get("platform", "linux/amd64") + if self._platform is None: + self._platform = image_platform + else: + assert self._platform == image_platform, "All images must have the same platform" + if not is_sidecar(c[config.POLICY_FIELD_CONTAINERS_ID]): container_image = UserContainerImage.from_json(c, is_vn2=is_vn2) else: @@ -212,17 +223,29 @@ def _add_rego_boilerplate(self, output: str) -> str: # get rid of fields that aren't strictly needed for the fragment import sanitized_fragments = sanitize_fragment_fields(self.get_fragments()) - return config.CUSTOMER_REGO_POLICY % ( - pretty_print_func(self._api_version), - pretty_print_func(sanitized_fragments), - output, - pretty_print_func(self._allow_properties_access), - pretty_print_func(self._allow_dump_stacks), - pretty_print_func(self._allow_runtime_logging), - pretty_print_func(self._allow_environment_variable_dropping), - pretty_print_func(self._allow_unencrypted_scratch), - pretty_print_func(self._allow_capability_dropping), - ) + + if self._platform.startswith("linux"): + return config.CUSTOMER_REGO_POLICY % ( + pretty_print_func(self._api_version), + pretty_print_func(sanitized_fragments), + output, + pretty_print_func(self._allow_properties_access), + pretty_print_func(self._allow_dump_stacks), + pretty_print_func(self._allow_runtime_logging), + pretty_print_func(self._allow_environment_variable_dropping), + pretty_print_func(self._allow_unencrypted_scratch), + pretty_print_func(self._allow_capability_dropping), + ) + elif self._platform.startswith("windows"): + return config.CUSTOMER_REGO_POLICY_WINDOWS % ( + pretty_print_func(self._api_version), + pretty_print_func(sanitized_fragments), + output, + pretty_print_func(self._allow_properties_access), + pretty_print_func(self._allow_dump_stacks), + pretty_print_func(self._allow_runtime_logging), + pretty_print_func(self._allow_environment_variable_dropping), + ) def validate_cce_policy(self) -> Tuple[bool, Dict]: """Utility method: check to see if the existing policy @@ -406,7 +429,8 @@ def _policy_serialization(self, pretty_print=False, include_sidecars: bool = Tru policy.append(image_dict) if (not is_sidecars or len(regular_container_images) == 0) and include_sidecars: # add in the default containers that have their hashes pre-computed - policy += copy.deepcopy(config.DEFAULT_CONTAINERS) + if self._platform.startswith("linux"): + policy += copy.deepcopy(config.DEFAULT_CONTAINERS) if self._disable_stdio: for container in policy: container[config.POLICY_FIELD_CONTAINERS_ELEMENTS_ALLOW_STDIO_ACCESS] = False @@ -574,9 +598,17 @@ def populate_policy_content_for_all_images( if isinstance(tar_mapping, dict): tar_location = get_tar_location_from_mapping(tar_mapping, image_name) # populate layer info - image.set_layers(proxy.get_policy_image_layers( - image.base, image.tag, tar_location=tar_location if tar else "", faster_hashing=faster_hashing - )) + layer_info = proxy.get_policy_image_layers( + image.base, + image.tag, + platform=self._platform, + tar_location=tar_location if tar else "", + faster_hashing=faster_hashing, + ) + image.set_layers(layer_info.get("layers", [])) + # Set mounted_cim for Windows containers + if "mounted_cim" in layer_info: + image.set_mounted_cim(layer_info["mounted_cim"]) progress.update() progress.close() @@ -683,7 +715,8 @@ def load_policy_from_arm_template_str( get_values_for_params(input_parameter_json, all_params) AciPolicy.all_params = all_params - AciPolicy.all_vars = case_insensitive_dict_get(input_arm_json, config.ACI_FIELD_TEMPLATE_VARIABLES) or {} + all_vars = case_insensitive_dict_get(input_arm_json, config.ACI_FIELD_TEMPLATE_VARIABLES) or {} + AciPolicy.all_vars = all_vars container_groups = [] @@ -785,6 +818,16 @@ def load_policy_from_arm_template_str( extract_probe(exec_processes, image_properties, config.ACI_FIELD_CONTAINERS_READINESS_PROBE) extract_probe(exec_processes, image_properties, config.ACI_FIELD_CONTAINERS_LIVENESS_PROBE) + # Use platform from template if specified, otherwise try to auto-detect from image + platform = case_insensitive_dict_get(image_properties, "platform") + if not platform: + # By this point, we have not substituted any parameters or + # variables yet, but in order to get the image we have to know + # the final image name. So resolve it here temporarily (later + # on, the constructor of AciPolicy will resolve it again) + image_name_with_param_substituted = find_value_in_params_and_vars(all_params, all_vars, image_name) + platform = get_image_platform(image_name_with_param_substituted) + containers.append( { config.ACI_FIELD_CONTAINERS_ID: image_name, @@ -798,15 +841,13 @@ def load_policy_from_arm_template_str( or [], config.ACI_FIELD_CONTAINERS_MOUNTS: process_mounts(image_properties, volumes) + process_configmap(image_properties), - config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES: exec_processes - + config.DEBUG_MODE_SETTINGS.get(config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES) - if debug_mode - else exec_processes, + config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES: exec_processes + get_debug_mode_exec_procs(debug_mode, platform), config.ACI_FIELD_CONTAINERS_SIGNAL_CONTAINER_PROCESSES: [], config.ACI_FIELD_CONTAINERS_ALLOW_STDIO_ACCESS: not disable_stdio, config.ACI_FIELD_CONTAINERS_SECURITY_CONTEXT: case_insensitive_dict_get( image_properties, config.ACI_FIELD_TEMPLATE_SECURITY_CONTEXT ), + "platform": platform, } ) @@ -882,6 +923,8 @@ def load_policy_from_image_name( container[config.ACI_FIELD_CONTAINERS_CONTAINERIMAGE] = image_name container[config.ACI_FIELD_CONTAINERS_ALLOW_STDIO_ACCESS] = not disable_stdio + container["platform"] = get_image_platform(image_name) + containers.append(container) return AciPolicy( @@ -1025,6 +1068,8 @@ def load_policy_from_json( envs += process_env_vars_from_config(container_properties) + platform = get_image_platform(image_name) + output_containers.append( { config.ACI_FIELD_CONTAINERS_ID: image_name, @@ -1036,15 +1081,13 @@ def load_policy_from_json( container_properties, config.ACI_FIELD_TEMPLATE_COMMAND ) or [], config.ACI_FIELD_CONTAINERS_MOUNTS: mounts, - config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES: exec_processes - + config.DEBUG_MODE_SETTINGS.get(config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES) - if debug_mode - else exec_processes, + config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES: exec_processes + get_debug_mode_exec_procs(debug_mode, platform), config.ACI_FIELD_CONTAINERS_SIGNAL_CONTAINER_PROCESSES: [], config.ACI_FIELD_CONTAINERS_ALLOW_STDIO_ACCESS: not disable_stdio, config.ACI_FIELD_CONTAINERS_SECURITY_CONTEXT: case_insensitive_dict_get( container_properties, config.ACI_FIELD_TEMPLATE_SECURITY_CONTEXT ), + "platform": platform, } ) @@ -1296,6 +1339,8 @@ def load_policy_from_virtual_node_yaml_str( extract_lifecycle_hook(exec_processes, container, config.VIRTUAL_NODE_YAML_LIFECYCLE_POST_START) extract_lifecycle_hook(exec_processes, container, config.VIRTUAL_NODE_YAML_LIFECYCLE_PRE_STOP) + platform = get_image_platform(image) + policy_containers.append( { config.ACI_FIELD_CONTAINERS_ID: image, @@ -1306,13 +1351,11 @@ def load_policy_from_virtual_node_yaml_str( config.ACI_FIELD_TEMPLATE_ENTRYPOINT: command, config.ACI_FIELD_CONTAINERS_COMMAND: args, config.ACI_FIELD_CONTAINERS_MOUNTS: mounts, - config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES: exec_processes - + config.DEBUG_MODE_SETTINGS.get(config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES) - if debug_mode - else exec_processes, + config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES: exec_processes + get_debug_mode_exec_procs(debug_mode, platform), config.ACI_FIELD_CONTAINERS_SIGNAL_CONTAINER_PROCESSES: [], config.ACI_FIELD_CONTAINERS_ALLOW_STDIO_ACCESS: not disable_stdio, - config.ACI_FIELD_CONTAINERS_SECURITY_CONTEXT: security_context + config.ACI_FIELD_CONTAINERS_SECURITY_CONTEXT: security_context, + "platform": platform, } ) all_policies.append( diff --git a/src/confcom/azext_confcom/template_util.py b/src/confcom/azext_confcom/template_util.py index 5615ba5a15b..23724f5ef18 100644 --- a/src/confcom/azext_confcom/template_util.py +++ b/src/confcom/azext_confcom/template_util.py @@ -130,7 +130,10 @@ def get_image_info(progress, message_queue, tar_mapping, image): try: client = DockerClient().get_client() raw_image = client.images.get(image_name) - image_info = raw_image.attrs.get("Config") + image_info = { + "platform": "/".join([raw_image.attrs.get("Os"), raw_image.attrs.get("Architecture")]), + **raw_image.attrs.get("Config") + } message_queue.append( f"Using local version of {image_name}. It may differ from the remote image" ) @@ -149,8 +152,16 @@ def get_image_info(progress, message_queue, tar_mapping, image): # pull image to local daemon (if not in local # daemon) if not raw_image: - raw_image = client.images.pull(image_name) - image_info = raw_image.attrs.get("Config") + for platform in ["linux/amd64", "windows/amd64"]: + try: + raw_image = client.images.pull(image_name, platform=platform) + break + except (docker.errors.ImageNotFound, docker.errors.NotFound): + continue + image_info = { + "platform": "/".join([raw_image.attrs.get("Os"), raw_image.attrs.get("Architecture")]), + **raw_image.attrs.get("Config") + } except (docker.errors.ImageNotFound, docker.errors.NotFound): progress.close() eprint( diff --git a/src/confcom/azext_confcom/tests/latest/test_confcom_containers_from_image.py b/src/confcom/azext_confcom/tests/latest/test_confcom_containers_from_image.py index ff94812c09f..f02d72a9b72 100644 --- a/src/confcom/azext_confcom/tests/latest/test_confcom_containers_from_image.py +++ b/src/confcom/azext_confcom/tests/latest/test_confcom_containers_from_image.py @@ -59,7 +59,7 @@ def test_containers_from_image(sample_directory: str, platform: str): with redirect_stdout(buffer): containers_from_image( image=f"confcom_test_{sample_directory.name}", - platform=platform, + aci_or_vn2=platform, ) actual_container_def = json.loads(buffer.getvalue()) diff --git a/src/confcom/samples/aci/command/policy.rego b/src/confcom/samples/aci/command/policy.rego index 0a8288ed727..5458cc68fa0 100644 --- a/src/confcom/samples/aci/command/policy.rego +++ b/src/confcom/samples/aci/command/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/command/policy_debug.rego b/src/confcom/samples/aci/command/policy_debug.rego index 5726d4f6d31..e2fd4241d36 100644 --- a/src/confcom/samples/aci/command/policy_debug.rego +++ b/src/confcom/samples/aci/command/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/command/policy_disable_stdio.rego b/src/confcom/samples/aci/command/policy_disable_stdio.rego index c93faa1ea15..2bef0422b25 100644 --- a/src/confcom/samples/aci/command/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/command/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/command/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/command/policy_exclude_default_fragment.rego index ec1dd9acf8a..5dc73e916c6 100644 --- a/src/confcom/samples/aci/command/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/command/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/command/policy_fragment.rego b/src/confcom/samples/aci/command/policy_fragment.rego index 70e92051fb0..dcf751eabb8 100644 --- a/src/confcom/samples/aci/command/policy_fragment.rego +++ b/src/confcom/samples/aci/command/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/command/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/command/policy_fragment_plus_infrastructure_svn.rego index 38f5330d1e4..7c5d4ff3b9b 100644 --- a/src/confcom/samples/aci/command/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/command/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/command/policy_infrastructure_svn.rego b/src/confcom/samples/aci/command/policy_infrastructure_svn.rego index a465b27eba7..e0b8b03ef0e 100644 --- a/src/confcom/samples/aci/command/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/command/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/conflicting_variables/policy.rego b/src/confcom/samples/aci/conflicting_variables/policy.rego index 2564d1f4d7d..e501b01cee8 100644 --- a/src/confcom/samples/aci/conflicting_variables/policy.rego +++ b/src/confcom/samples/aci/conflicting_variables/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/conflicting_variables/policy_debug.rego b/src/confcom/samples/aci/conflicting_variables/policy_debug.rego index 37ecc10f214..b0526f3f5ad 100644 --- a/src/confcom/samples/aci/conflicting_variables/policy_debug.rego +++ b/src/confcom/samples/aci/conflicting_variables/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/conflicting_variables/policy_disable_stdio.rego b/src/confcom/samples/aci/conflicting_variables/policy_disable_stdio.rego index 9177bee6ae8..293f2bf6064 100644 --- a/src/confcom/samples/aci/conflicting_variables/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/conflicting_variables/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/conflicting_variables/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/conflicting_variables/policy_exclude_default_fragment.rego index 292d288f836..d2d5b3e8185 100644 --- a/src/confcom/samples/aci/conflicting_variables/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/conflicting_variables/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/conflicting_variables/policy_fragment.rego b/src/confcom/samples/aci/conflicting_variables/policy_fragment.rego index da895107e92..dd7e5decea5 100644 --- a/src/confcom/samples/aci/conflicting_variables/policy_fragment.rego +++ b/src/confcom/samples/aci/conflicting_variables/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/conflicting_variables/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/conflicting_variables/policy_fragment_plus_infrastructure_svn.rego index 5d2305ae9a2..4db0d2a66e9 100644 --- a/src/confcom/samples/aci/conflicting_variables/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/conflicting_variables/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/conflicting_variables/policy_infrastructure_svn.rego b/src/confcom/samples/aci/conflicting_variables/policy_infrastructure_svn.rego index 8c07f4ee697..597926c4ce3 100644 --- a/src/confcom/samples/aci/conflicting_variables/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/conflicting_variables/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/container_group_profiles/policy.rego b/src/confcom/samples/aci/container_group_profiles/policy.rego index 721ef3581f3..21412c6ea52 100644 --- a/src/confcom/samples/aci/container_group_profiles/policy.rego +++ b/src/confcom/samples/aci/container_group_profiles/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/container_group_profiles/policy_debug.rego b/src/confcom/samples/aci/container_group_profiles/policy_debug.rego index f33fa7b46c8..50f08260507 100644 --- a/src/confcom/samples/aci/container_group_profiles/policy_debug.rego +++ b/src/confcom/samples/aci/container_group_profiles/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/container_group_profiles/policy_disable_stdio.rego b/src/confcom/samples/aci/container_group_profiles/policy_disable_stdio.rego index d4f5c46ce0c..e31e27260df 100644 --- a/src/confcom/samples/aci/container_group_profiles/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/container_group_profiles/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/container_group_profiles/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/container_group_profiles/policy_exclude_default_fragment.rego index 45eb05085e0..4b249bacdea 100644 --- a/src/confcom/samples/aci/container_group_profiles/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/container_group_profiles/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/container_group_profiles/policy_fragment.rego b/src/confcom/samples/aci/container_group_profiles/policy_fragment.rego index d9ea7a4f5a6..301ffa0972f 100644 --- a/src/confcom/samples/aci/container_group_profiles/policy_fragment.rego +++ b/src/confcom/samples/aci/container_group_profiles/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/container_group_profiles/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/container_group_profiles/policy_fragment_plus_infrastructure_svn.rego index 04642ec19de..a0b480a645a 100644 --- a/src/confcom/samples/aci/container_group_profiles/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/container_group_profiles/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/container_group_profiles/policy_infrastructure_svn.rego b/src/confcom/samples/aci/container_group_profiles/policy_infrastructure_svn.rego index 50a2f1e8e22..7fca73ff0dd 100644 --- a/src/confcom/samples/aci/container_group_profiles/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/container_group_profiles/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables/policy.rego b/src/confcom/samples/aci/default_variables/policy.rego index 721ef3581f3..21412c6ea52 100644 --- a/src/confcom/samples/aci/default_variables/policy.rego +++ b/src/confcom/samples/aci/default_variables/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables/policy_debug.rego b/src/confcom/samples/aci/default_variables/policy_debug.rego index f33fa7b46c8..50f08260507 100644 --- a/src/confcom/samples/aci/default_variables/policy_debug.rego +++ b/src/confcom/samples/aci/default_variables/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables/policy_disable_stdio.rego b/src/confcom/samples/aci/default_variables/policy_disable_stdio.rego index d4f5c46ce0c..e31e27260df 100644 --- a/src/confcom/samples/aci/default_variables/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/default_variables/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/default_variables/policy_exclude_default_fragment.rego index 45eb05085e0..4b249bacdea 100644 --- a/src/confcom/samples/aci/default_variables/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/default_variables/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables/policy_fragment.rego b/src/confcom/samples/aci/default_variables/policy_fragment.rego index d9ea7a4f5a6..301ffa0972f 100644 --- a/src/confcom/samples/aci/default_variables/policy_fragment.rego +++ b/src/confcom/samples/aci/default_variables/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/default_variables/policy_fragment_plus_infrastructure_svn.rego index 04642ec19de..a0b480a645a 100644 --- a/src/confcom/samples/aci/default_variables/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/default_variables/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables/policy_infrastructure_svn.rego b/src/confcom/samples/aci/default_variables/policy_infrastructure_svn.rego index 50a2f1e8e22..7fca73ff0dd 100644 --- a/src/confcom/samples/aci/default_variables/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/default_variables/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables_override/policy.rego b/src/confcom/samples/aci/default_variables_override/policy.rego index 2564d1f4d7d..e501b01cee8 100644 --- a/src/confcom/samples/aci/default_variables_override/policy.rego +++ b/src/confcom/samples/aci/default_variables_override/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables_override/policy_debug.rego b/src/confcom/samples/aci/default_variables_override/policy_debug.rego index 37ecc10f214..b0526f3f5ad 100644 --- a/src/confcom/samples/aci/default_variables_override/policy_debug.rego +++ b/src/confcom/samples/aci/default_variables_override/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables_override/policy_disable_stdio.rego b/src/confcom/samples/aci/default_variables_override/policy_disable_stdio.rego index 9177bee6ae8..293f2bf6064 100644 --- a/src/confcom/samples/aci/default_variables_override/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/default_variables_override/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables_override/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/default_variables_override/policy_exclude_default_fragment.rego index 292d288f836..d2d5b3e8185 100644 --- a/src/confcom/samples/aci/default_variables_override/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/default_variables_override/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables_override/policy_fragment.rego b/src/confcom/samples/aci/default_variables_override/policy_fragment.rego index da895107e92..dd7e5decea5 100644 --- a/src/confcom/samples/aci/default_variables_override/policy_fragment.rego +++ b/src/confcom/samples/aci/default_variables_override/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables_override/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/default_variables_override/policy_fragment_plus_infrastructure_svn.rego index 5d2305ae9a2..4db0d2a66e9 100644 --- a/src/confcom/samples/aci/default_variables_override/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/default_variables_override/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables_override/policy_infrastructure_svn.rego b/src/confcom/samples/aci/default_variables_override/policy_infrastructure_svn.rego index 8c07f4ee697..597926c4ce3 100644 --- a/src/confcom/samples/aci/default_variables_override/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/default_variables_override/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/environment_variables/policy.rego b/src/confcom/samples/aci/environment_variables/policy.rego index 6966ac35d00..1f153ed257e 100644 --- a/src/confcom/samples/aci/environment_variables/policy.rego +++ b/src/confcom/samples/aci/environment_variables/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/environment_variables/policy_debug.rego b/src/confcom/samples/aci/environment_variables/policy_debug.rego index 79a435f36ef..fcbfbcd4165 100644 --- a/src/confcom/samples/aci/environment_variables/policy_debug.rego +++ b/src/confcom/samples/aci/environment_variables/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/environment_variables/policy_disable_stdio.rego b/src/confcom/samples/aci/environment_variables/policy_disable_stdio.rego index 1b3bf3399eb..c3c7d5d6d98 100644 --- a/src/confcom/samples/aci/environment_variables/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/environment_variables/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/environment_variables/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/environment_variables/policy_exclude_default_fragment.rego index 0582ec2f8b7..613f9afcb71 100644 --- a/src/confcom/samples/aci/environment_variables/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/environment_variables/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/environment_variables/policy_fragment.rego b/src/confcom/samples/aci/environment_variables/policy_fragment.rego index f3c958b6d44..0a0eb4c839b 100644 --- a/src/confcom/samples/aci/environment_variables/policy_fragment.rego +++ b/src/confcom/samples/aci/environment_variables/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/environment_variables/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/environment_variables/policy_fragment_plus_infrastructure_svn.rego index e2c54c52975..c3540fb6c95 100644 --- a/src/confcom/samples/aci/environment_variables/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/environment_variables/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/environment_variables/policy_infrastructure_svn.rego b/src/confcom/samples/aci/environment_variables/policy_infrastructure_svn.rego index 5c5771f5e79..bfa4e9804b5 100644 --- a/src/confcom/samples/aci/environment_variables/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/environment_variables/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy/policy.rego b/src/confcom/samples/aci/existing_policy/policy.rego index 721ef3581f3..21412c6ea52 100644 --- a/src/confcom/samples/aci/existing_policy/policy.rego +++ b/src/confcom/samples/aci/existing_policy/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy/policy_debug.rego b/src/confcom/samples/aci/existing_policy/policy_debug.rego index f33fa7b46c8..50f08260507 100644 --- a/src/confcom/samples/aci/existing_policy/policy_debug.rego +++ b/src/confcom/samples/aci/existing_policy/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy/policy_disable_stdio.rego b/src/confcom/samples/aci/existing_policy/policy_disable_stdio.rego index d4f5c46ce0c..e31e27260df 100644 --- a/src/confcom/samples/aci/existing_policy/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/existing_policy/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/existing_policy/policy_exclude_default_fragment.rego index 45eb05085e0..4b249bacdea 100644 --- a/src/confcom/samples/aci/existing_policy/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/existing_policy/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy/policy_fragment.rego b/src/confcom/samples/aci/existing_policy/policy_fragment.rego index d9ea7a4f5a6..301ffa0972f 100644 --- a/src/confcom/samples/aci/existing_policy/policy_fragment.rego +++ b/src/confcom/samples/aci/existing_policy/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/existing_policy/policy_fragment_plus_infrastructure_svn.rego index 04642ec19de..a0b480a645a 100644 --- a/src/confcom/samples/aci/existing_policy/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/existing_policy/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy/policy_infrastructure_svn.rego b/src/confcom/samples/aci/existing_policy/policy_infrastructure_svn.rego index 50a2f1e8e22..7fca73ff0dd 100644 --- a/src/confcom/samples/aci/existing_policy/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/existing_policy/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy_allow_all/policy.rego b/src/confcom/samples/aci/existing_policy_allow_all/policy.rego index 721ef3581f3..21412c6ea52 100644 --- a/src/confcom/samples/aci/existing_policy_allow_all/policy.rego +++ b/src/confcom/samples/aci/existing_policy_allow_all/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy_allow_all/policy_debug.rego b/src/confcom/samples/aci/existing_policy_allow_all/policy_debug.rego index f33fa7b46c8..50f08260507 100644 --- a/src/confcom/samples/aci/existing_policy_allow_all/policy_debug.rego +++ b/src/confcom/samples/aci/existing_policy_allow_all/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy_allow_all/policy_disable_stdio.rego b/src/confcom/samples/aci/existing_policy_allow_all/policy_disable_stdio.rego index d4f5c46ce0c..e31e27260df 100644 --- a/src/confcom/samples/aci/existing_policy_allow_all/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/existing_policy_allow_all/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy_allow_all/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/existing_policy_allow_all/policy_exclude_default_fragment.rego index 45eb05085e0..4b249bacdea 100644 --- a/src/confcom/samples/aci/existing_policy_allow_all/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/existing_policy_allow_all/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy_allow_all/policy_fragment.rego b/src/confcom/samples/aci/existing_policy_allow_all/policy_fragment.rego index d9ea7a4f5a6..301ffa0972f 100644 --- a/src/confcom/samples/aci/existing_policy_allow_all/policy_fragment.rego +++ b/src/confcom/samples/aci/existing_policy_allow_all/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy_allow_all/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/existing_policy_allow_all/policy_fragment_plus_infrastructure_svn.rego index 04642ec19de..a0b480a645a 100644 --- a/src/confcom/samples/aci/existing_policy_allow_all/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/existing_policy_allow_all/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy_allow_all/policy_infrastructure_svn.rego b/src/confcom/samples/aci/existing_policy_allow_all/policy_infrastructure_svn.rego index 50a2f1e8e22..7fca73ff0dd 100644 --- a/src/confcom/samples/aci/existing_policy_allow_all/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/existing_policy_allow_all/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/minimal/policy.rego b/src/confcom/samples/aci/minimal/policy.rego index 721ef3581f3..21412c6ea52 100644 --- a/src/confcom/samples/aci/minimal/policy.rego +++ b/src/confcom/samples/aci/minimal/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/minimal/policy_debug.rego b/src/confcom/samples/aci/minimal/policy_debug.rego index f33fa7b46c8..50f08260507 100644 --- a/src/confcom/samples/aci/minimal/policy_debug.rego +++ b/src/confcom/samples/aci/minimal/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/minimal/policy_disable_stdio.rego b/src/confcom/samples/aci/minimal/policy_disable_stdio.rego index d4f5c46ce0c..e31e27260df 100644 --- a/src/confcom/samples/aci/minimal/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/minimal/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/minimal/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/minimal/policy_exclude_default_fragment.rego index 45eb05085e0..4b249bacdea 100644 --- a/src/confcom/samples/aci/minimal/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/minimal/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/minimal/policy_fragment.rego b/src/confcom/samples/aci/minimal/policy_fragment.rego index d9ea7a4f5a6..301ffa0972f 100644 --- a/src/confcom/samples/aci/minimal/policy_fragment.rego +++ b/src/confcom/samples/aci/minimal/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/minimal/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/minimal/policy_fragment_plus_infrastructure_svn.rego index 04642ec19de..a0b480a645a 100644 --- a/src/confcom/samples/aci/minimal/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/minimal/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/minimal/policy_infrastructure_svn.rego b/src/confcom/samples/aci/minimal/policy_infrastructure_svn.rego index 50a2f1e8e22..7fca73ff0dd 100644 --- a/src/confcom/samples/aci/minimal/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/minimal/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/multi_container_groups/policy.rego b/src/confcom/samples/aci/multi_container_groups/policy.rego index 67de04a0285..b7f1e64d3cc 100644 --- a/src/confcom/samples/aci/multi_container_groups/policy.rego +++ b/src/confcom/samples/aci/multi_container_groups/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} @@ -53,7 +54,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -94,6 +95,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/multi_container_groups/policy_debug.rego b/src/confcom/samples/aci/multi_container_groups/policy_debug.rego index 7ddb75b3742..5b5785dd530 100644 --- a/src/confcom/samples/aci/multi_container_groups/policy_debug.rego +++ b/src/confcom/samples/aci/multi_container_groups/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} @@ -53,7 +54,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -94,6 +95,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/multi_container_groups/policy_disable_stdio.rego b/src/confcom/samples/aci/multi_container_groups/policy_disable_stdio.rego index c7e0650713b..f0be599e6f3 100644 --- a/src/confcom/samples/aci/multi_container_groups/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/multi_container_groups/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} @@ -53,7 +54,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -94,6 +95,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/multi_container_groups/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/multi_container_groups/policy_exclude_default_fragment.rego index 32fd29e3336..f0400d3787b 100644 --- a/src/confcom/samples/aci/multi_container_groups/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/multi_container_groups/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} @@ -43,7 +44,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -74,6 +75,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/multi_container_groups/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/multi_container_groups/policy_fragment_plus_infrastructure_svn.rego index bcc5f638768..5a30c600142 100644 --- a/src/confcom/samples/aci/multi_container_groups/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/multi_container_groups/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} @@ -62,7 +63,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -103,6 +104,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/multi_container_groups/policy_infrastructure_svn.rego b/src/confcom/samples/aci/multi_container_groups/policy_infrastructure_svn.rego index 1aa2ad14c23..7ce66ecc801 100644 --- a/src/confcom/samples/aci/multi_container_groups/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/multi_container_groups/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} @@ -53,7 +54,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -94,6 +95,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/multi_containers/policy.rego b/src/confcom/samples/aci/multi_containers/policy.rego index e9ea916e0a8..0c7a66163f2 100644 --- a/src/confcom/samples/aci/multi_containers/policy.rego +++ b/src/confcom/samples/aci/multi_containers/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/multi_containers/policy_debug.rego b/src/confcom/samples/aci/multi_containers/policy_debug.rego index 36217c9ac09..420880febae 100644 --- a/src/confcom/samples/aci/multi_containers/policy_debug.rego +++ b/src/confcom/samples/aci/multi_containers/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/multi_containers/policy_disable_stdio.rego b/src/confcom/samples/aci/multi_containers/policy_disable_stdio.rego index 19c2177c1ce..b3738f06aee 100644 --- a/src/confcom/samples/aci/multi_containers/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/multi_containers/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/multi_containers/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/multi_containers/policy_exclude_default_fragment.rego index fbddd782d71..eb04d2704b2 100644 --- a/src/confcom/samples/aci/multi_containers/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/multi_containers/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/multi_containers/policy_fragment.rego b/src/confcom/samples/aci/multi_containers/policy_fragment.rego index e1d6b484c42..2cdb596e63f 100644 --- a/src/confcom/samples/aci/multi_containers/policy_fragment.rego +++ b/src/confcom/samples/aci/multi_containers/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/multi_containers/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/multi_containers/policy_fragment_plus_infrastructure_svn.rego index 3965d5eac5e..47e9d18e546 100644 --- a/src/confcom/samples/aci/multi_containers/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/multi_containers/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/multi_containers/policy_infrastructure_svn.rego b/src/confcom/samples/aci/multi_containers/policy_infrastructure_svn.rego index 4486204c204..2b189640808 100644 --- a/src/confcom/samples/aci/multi_containers/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/multi_containers/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add/policy.rego b/src/confcom/samples/aci/security_context_capabilities_add/policy.rego index e17f515f228..8436ca3cd2a 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add/policy.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add/policy_debug.rego b/src/confcom/samples/aci/security_context_capabilities_add/policy_debug.rego index be2655f5834..c9558c91aec 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add/policy_debug.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add/policy_disable_stdio.rego b/src/confcom/samples/aci/security_context_capabilities_add/policy_disable_stdio.rego index a5188b24c04..cb795ea8edc 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/security_context_capabilities_add/policy_exclude_default_fragment.rego index 043e9959354..509e2273696 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add/policy_fragment.rego b/src/confcom/samples/aci/security_context_capabilities_add/policy_fragment.rego index 38027274a76..81c9ab609ae 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add/policy_fragment.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/security_context_capabilities_add/policy_fragment_plus_infrastructure_svn.rego index 1ff9e9c9ec6..0ff47fc21e4 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add/policy_infrastructure_svn.rego b/src/confcom/samples/aci/security_context_capabilities_add/policy_infrastructure_svn.rego index e379d8e23b7..a0df6d7664f 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy.rego b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy.rego index db0eb992c57..5d6be1de831 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_debug.rego b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_debug.rego index cbfd9699780..6ae3b72378c 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_debug.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_disable_stdio.rego b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_disable_stdio.rego index 285be86a07d..238acfe3606 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_exclude_default_fragment.rego index 26f34bf1b3b..456c930d07a 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_fragment.rego b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_fragment.rego index 27ccf902d93..1ba40238b9a 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_fragment.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_fragment_plus_infrastructure_svn.rego index 249001d4245..3e157bca9a8 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_infrastructure_svn.rego b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_infrastructure_svn.rego index 1676fad3709..131d29a2a0d 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_drop/policy.rego b/src/confcom/samples/aci/security_context_capabilities_drop/policy.rego index c9e88f85555..4c8901e8742 100644 --- a/src/confcom/samples/aci/security_context_capabilities_drop/policy.rego +++ b/src/confcom/samples/aci/security_context_capabilities_drop/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_drop/policy_debug.rego b/src/confcom/samples/aci/security_context_capabilities_drop/policy_debug.rego index bd1c6052a14..d7c303dad28 100644 --- a/src/confcom/samples/aci/security_context_capabilities_drop/policy_debug.rego +++ b/src/confcom/samples/aci/security_context_capabilities_drop/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_drop/policy_disable_stdio.rego b/src/confcom/samples/aci/security_context_capabilities_drop/policy_disable_stdio.rego index 34425ff5777..0ad603292d3 100644 --- a/src/confcom/samples/aci/security_context_capabilities_drop/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/security_context_capabilities_drop/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_drop/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/security_context_capabilities_drop/policy_exclude_default_fragment.rego index 0ea9ef76af4..e444c0d3310 100644 --- a/src/confcom/samples/aci/security_context_capabilities_drop/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/security_context_capabilities_drop/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_drop/policy_fragment.rego b/src/confcom/samples/aci/security_context_capabilities_drop/policy_fragment.rego index 580ae543b37..df284d7cde4 100644 --- a/src/confcom/samples/aci/security_context_capabilities_drop/policy_fragment.rego +++ b/src/confcom/samples/aci/security_context_capabilities_drop/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_drop/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/security_context_capabilities_drop/policy_fragment_plus_infrastructure_svn.rego index 0b993218415..49c1b7580a6 100644 --- a/src/confcom/samples/aci/security_context_capabilities_drop/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/security_context_capabilities_drop/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_drop/policy_infrastructure_svn.rego b/src/confcom/samples/aci/security_context_capabilities_drop/policy_infrastructure_svn.rego index 26c2ff93c1e..b893b1a1c42 100644 --- a/src/confcom/samples/aci/security_context_capabilities_drop/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/security_context_capabilities_drop/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_group/policy.rego b/src/confcom/samples/aci/security_context_run_as_group/policy.rego index 93f30fa1e74..691be96db02 100644 --- a/src/confcom/samples/aci/security_context_run_as_group/policy.rego +++ b/src/confcom/samples/aci/security_context_run_as_group/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_group/policy_debug.rego b/src/confcom/samples/aci/security_context_run_as_group/policy_debug.rego index 9a618bafc91..128b9782018 100644 --- a/src/confcom/samples/aci/security_context_run_as_group/policy_debug.rego +++ b/src/confcom/samples/aci/security_context_run_as_group/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_group/policy_disable_stdio.rego b/src/confcom/samples/aci/security_context_run_as_group/policy_disable_stdio.rego index 23fac5e69db..35ae6f34217 100644 --- a/src/confcom/samples/aci/security_context_run_as_group/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/security_context_run_as_group/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_group/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/security_context_run_as_group/policy_exclude_default_fragment.rego index 39446b7c586..067f2f6c175 100644 --- a/src/confcom/samples/aci/security_context_run_as_group/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/security_context_run_as_group/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_group/policy_fragment.rego b/src/confcom/samples/aci/security_context_run_as_group/policy_fragment.rego index 43322bb43ac..b7c1a3febe0 100644 --- a/src/confcom/samples/aci/security_context_run_as_group/policy_fragment.rego +++ b/src/confcom/samples/aci/security_context_run_as_group/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_group/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/security_context_run_as_group/policy_fragment_plus_infrastructure_svn.rego index 3a94a9e1816..cc8cffa6d1e 100644 --- a/src/confcom/samples/aci/security_context_run_as_group/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/security_context_run_as_group/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_group/policy_infrastructure_svn.rego b/src/confcom/samples/aci/security_context_run_as_group/policy_infrastructure_svn.rego index f08ba39228b..5357a5f5020 100644 --- a/src/confcom/samples/aci/security_context_run_as_group/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/security_context_run_as_group/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_user/policy.rego b/src/confcom/samples/aci/security_context_run_as_user/policy.rego index e16fb4563d0..fb511fecd82 100644 --- a/src/confcom/samples/aci/security_context_run_as_user/policy.rego +++ b/src/confcom/samples/aci/security_context_run_as_user/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_user/policy_debug.rego b/src/confcom/samples/aci/security_context_run_as_user/policy_debug.rego index 6e31e8f99ef..02f5ad5cfd0 100644 --- a/src/confcom/samples/aci/security_context_run_as_user/policy_debug.rego +++ b/src/confcom/samples/aci/security_context_run_as_user/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_user/policy_disable_stdio.rego b/src/confcom/samples/aci/security_context_run_as_user/policy_disable_stdio.rego index 28c1efee0c1..004bb814ecb 100644 --- a/src/confcom/samples/aci/security_context_run_as_user/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/security_context_run_as_user/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_user/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/security_context_run_as_user/policy_exclude_default_fragment.rego index fa985532527..59b11e97ba8 100644 --- a/src/confcom/samples/aci/security_context_run_as_user/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/security_context_run_as_user/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_user/policy_fragment.rego b/src/confcom/samples/aci/security_context_run_as_user/policy_fragment.rego index e7098c289ce..3ac73b1aefb 100644 --- a/src/confcom/samples/aci/security_context_run_as_user/policy_fragment.rego +++ b/src/confcom/samples/aci/security_context_run_as_user/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_user/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/security_context_run_as_user/policy_fragment_plus_infrastructure_svn.rego index 103a6785acb..218d6af6e6b 100644 --- a/src/confcom/samples/aci/security_context_run_as_user/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/security_context_run_as_user/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_user/policy_infrastructure_svn.rego b/src/confcom/samples/aci/security_context_run_as_user/policy_infrastructure_svn.rego index 3a6ef775944..07a5f3a9895 100644 --- a/src/confcom/samples/aci/security_context_run_as_user/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/security_context_run_as_user/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/variables/policy.rego b/src/confcom/samples/aci/variables/policy.rego index 721ef3581f3..21412c6ea52 100644 --- a/src/confcom/samples/aci/variables/policy.rego +++ b/src/confcom/samples/aci/variables/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/variables/policy_debug.rego b/src/confcom/samples/aci/variables/policy_debug.rego index f33fa7b46c8..50f08260507 100644 --- a/src/confcom/samples/aci/variables/policy_debug.rego +++ b/src/confcom/samples/aci/variables/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/variables/policy_disable_stdio.rego b/src/confcom/samples/aci/variables/policy_disable_stdio.rego index d4f5c46ce0c..e31e27260df 100644 --- a/src/confcom/samples/aci/variables/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/variables/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/variables/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/variables/policy_exclude_default_fragment.rego index 45eb05085e0..4b249bacdea 100644 --- a/src/confcom/samples/aci/variables/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/variables/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/variables/policy_fragment.rego b/src/confcom/samples/aci/variables/policy_fragment.rego index d9ea7a4f5a6..301ffa0972f 100644 --- a/src/confcom/samples/aci/variables/policy_fragment.rego +++ b/src/confcom/samples/aci/variables/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/variables/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/variables/policy_fragment_plus_infrastructure_svn.rego index 04642ec19de..a0b480a645a 100644 --- a/src/confcom/samples/aci/variables/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/variables/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/variables/policy_infrastructure_svn.rego b/src/confcom/samples/aci/variables/policy_infrastructure_svn.rego index 50a2f1e8e22..7fca73ff0dd 100644 --- a/src/confcom/samples/aci/variables/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/variables/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mount_secret/policy.rego b/src/confcom/samples/aci/volume_mount_secret/policy.rego index b5a639bb912..c020e197dcb 100644 --- a/src/confcom/samples/aci/volume_mount_secret/policy.rego +++ b/src/confcom/samples/aci/volume_mount_secret/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mount_secret/policy_debug.rego b/src/confcom/samples/aci/volume_mount_secret/policy_debug.rego index 24215106d3f..9fa628f95b5 100644 --- a/src/confcom/samples/aci/volume_mount_secret/policy_debug.rego +++ b/src/confcom/samples/aci/volume_mount_secret/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mount_secret/policy_disable_stdio.rego b/src/confcom/samples/aci/volume_mount_secret/policy_disable_stdio.rego index 3f5ce0efda4..c31890df1a6 100644 --- a/src/confcom/samples/aci/volume_mount_secret/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/volume_mount_secret/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mount_secret/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/volume_mount_secret/policy_exclude_default_fragment.rego index 2a8c79a1d5a..983094135f2 100644 --- a/src/confcom/samples/aci/volume_mount_secret/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/volume_mount_secret/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mount_secret/policy_fragment.rego b/src/confcom/samples/aci/volume_mount_secret/policy_fragment.rego index bb5bf4e1743..55068234edf 100644 --- a/src/confcom/samples/aci/volume_mount_secret/policy_fragment.rego +++ b/src/confcom/samples/aci/volume_mount_secret/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mount_secret/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/volume_mount_secret/policy_fragment_plus_infrastructure_svn.rego index 1f8cb708fa8..9fec748e4b0 100644 --- a/src/confcom/samples/aci/volume_mount_secret/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/volume_mount_secret/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mount_secret/policy_infrastructure_svn.rego b/src/confcom/samples/aci/volume_mount_secret/policy_infrastructure_svn.rego index 29ffb26aee3..ba42aa2c23a 100644 --- a/src/confcom/samples/aci/volume_mount_secret/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/volume_mount_secret/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mounts/policy.rego b/src/confcom/samples/aci/volume_mounts/policy.rego index 273b195b4d9..a62cbc24e13 100644 --- a/src/confcom/samples/aci/volume_mounts/policy.rego +++ b/src/confcom/samples/aci/volume_mounts/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mounts/policy_debug.rego b/src/confcom/samples/aci/volume_mounts/policy_debug.rego index ebe8d8cff89..a86c8007074 100644 --- a/src/confcom/samples/aci/volume_mounts/policy_debug.rego +++ b/src/confcom/samples/aci/volume_mounts/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mounts/policy_disable_stdio.rego b/src/confcom/samples/aci/volume_mounts/policy_disable_stdio.rego index 71223a5d727..50c2543fe4b 100644 --- a/src/confcom/samples/aci/volume_mounts/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/volume_mounts/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mounts/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/volume_mounts/policy_exclude_default_fragment.rego index 40c79ea7359..40daa187696 100644 --- a/src/confcom/samples/aci/volume_mounts/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/volume_mounts/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mounts/policy_fragment.rego b/src/confcom/samples/aci/volume_mounts/policy_fragment.rego index 80286bf873a..78dca65c36c 100644 --- a/src/confcom/samples/aci/volume_mounts/policy_fragment.rego +++ b/src/confcom/samples/aci/volume_mounts/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mounts/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/volume_mounts/policy_fragment_plus_infrastructure_svn.rego index f73bc72b9cd..08a6e871afa 100644 --- a/src/confcom/samples/aci/volume_mounts/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/volume_mounts/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mounts/policy_infrastructure_svn.rego b/src/confcom/samples/aci/volume_mounts/policy_infrastructure_svn.rego index caf93e6b04f..d15814f95d1 100644 --- a/src/confcom/samples/aci/volume_mounts/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/volume_mounts/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/policies/allow_all.rego b/src/confcom/samples/policies/allow_all.rego index cfa50f39e5e..a8a4a9d6916 100644 --- a/src/confcom/samples/policies/allow_all.rego +++ b/src/confcom/samples/policies/allow_all.rego @@ -1,6 +1,6 @@ package policy -api_version := "0.10.0" +api_version := "0.11.0" mount_device := {"allowed": true} mount_overlay := {"allowed": true} diff --git a/src/confcom/samples/sample-policy-output.rego b/src/confcom/samples/sample-policy-output.rego index 060e19d6845..0261d9c69fa 100644 Binary files a/src/confcom/samples/sample-policy-output.rego and b/src/confcom/samples/sample-policy-output.rego differ diff --git a/src/confcom/samples/vn2/basic_command_args/policy.rego b/src/confcom/samples/vn2/basic_command_args/policy.rego index 836d9cdca23..0a98ec2aa07 100644 --- a/src/confcom/samples/vn2/basic_command_args/policy.rego +++ b/src/confcom/samples/vn2/basic_command_args/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -377,6 +377,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/vn2/configmap_secret_env/policy.rego b/src/confcom/samples/vn2/configmap_secret_env/policy.rego index 3c4ff5e9de8..96b1e11c011 100644 --- a/src/confcom/samples/vn2/configmap_secret_env/policy.rego +++ b/src/confcom/samples/vn2/configmap_secret_env/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -388,6 +388,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/vn2/fieldref_env/policy.rego b/src/confcom/samples/vn2/fieldref_env/policy.rego index ea59ff93085..6d786a7c94d 100644 --- a/src/confcom/samples/vn2/fieldref_env/policy.rego +++ b/src/confcom/samples/vn2/fieldref_env/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -373,6 +373,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/vn2/init_and_lifecycle/policy.rego b/src/confcom/samples/vn2/init_and_lifecycle/policy.rego index 1a28591eeb5..456cefc3958 100644 --- a/src/confcom/samples/vn2/init_and_lifecycle/policy.rego +++ b/src/confcom/samples/vn2/init_and_lifecycle/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -641,6 +641,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/vn2/multi_container/policy.rego b/src/confcom/samples/vn2/multi_container/policy.rego index 8defcef2dbf..0eaa1545bf4 100644 --- a/src/confcom/samples/vn2/multi_container/policy.rego +++ b/src/confcom/samples/vn2/multi_container/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -606,6 +606,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/vn2/privileged_container/policy.rego b/src/confcom/samples/vn2/privileged_container/policy.rego index 2463cffceeb..4e58d768e09 100644 --- a/src/confcom/samples/vn2/privileged_container/policy.rego +++ b/src/confcom/samples/vn2/privileged_container/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -511,6 +511,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/vn2/read_only_mounts/policy.rego b/src/confcom/samples/vn2/read_only_mounts/policy.rego index ae1c0fa9e80..97e45441e42 100644 --- a/src/confcom/samples/vn2/read_only_mounts/policy.rego +++ b/src/confcom/samples/vn2/read_only_mounts/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -388,6 +388,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/vn2/resourcefieldref_env/policy.rego b/src/confcom/samples/vn2/resourcefieldref_env/policy.rego index e616027f4ea..85335ff3366 100644 --- a/src/confcom/samples/vn2/resourcefieldref_env/policy.rego +++ b/src/confcom/samples/vn2/resourcefieldref_env/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -378,6 +378,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/vn2/seccomp_profile/policy.rego b/src/confcom/samples/vn2/seccomp_profile/policy.rego index aa2561c5174..6f134a716b5 100644 --- a/src/confcom/samples/vn2/seccomp_profile/policy.rego +++ b/src/confcom/samples/vn2/seccomp_profile/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -377,6 +377,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/vn2/security_context_merge/policy.rego b/src/confcom/samples/vn2/security_context_merge/policy.rego index fce047783cf..95604690b71 100644 --- a/src/confcom/samples/vn2/security_context_merge/policy.rego +++ b/src/confcom/samples/vn2/security_context_merge/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -368,6 +368,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/vn2/signals/policy.rego b/src/confcom/samples/vn2/signals/policy.rego index 9ad7c523839..892d06418bd 100644 --- a/src/confcom/samples/vn2/signals/policy.rego +++ b/src/confcom/samples/vn2/signals/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -383,6 +383,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/vn2/special_env_regex/policy.rego b/src/confcom/samples/vn2/special_env_regex/policy.rego index b35c8e8c9b7..7606a4a35d9 100644 --- a/src/confcom/samples/vn2/special_env_regex/policy.rego +++ b/src/confcom/samples/vn2/special_env_regex/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -378,6 +378,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/vn2/volume_claim_templates/policy.rego b/src/confcom/samples/vn2/volume_claim_templates/policy.rego index 07e15b4a62c..eb6f5fdb046 100644 --- a/src/confcom/samples/vn2/volume_claim_templates/policy.rego +++ b/src/confcom/samples/vn2/volume_claim_templates/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -378,6 +378,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/vn2/workload_identity/policy.rego b/src/confcom/samples/vn2/workload_identity/policy.rego index 7b3bd75f50e..3152c3b497c 100644 --- a/src/confcom/samples/vn2/workload_identity/policy.rego +++ b/src/confcom/samples/vn2/workload_identity/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -398,6 +398,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/setup.py b/src/confcom/setup.py index a4cbb850a58..619dc9c9ce3 100644 --- a/src/confcom/setup.py +++ b/src/confcom/setup.py @@ -19,7 +19,7 @@ logger.warn("Wheel is not available, disabling bdist_wheel hook") -VERSION = "1.8.0" +VERSION = "2.0.0b1" # The full list of classifiers is available at # https://pypi.python.org/pypi?%3Aaction=list_classifiers