From 2cc50f9eca4d051c2a390bd5c1ca8353571fee75 Mon Sep 17 00:00:00 2001 From: Dominic Ayre Date: Wed, 15 Oct 2025 17:07:50 +0100 Subject: [PATCH 01/21] Support windows platform images --- src/confcom/azext_confcom/rootfs_proxy.py | 3 ++- src/confcom/azext_confcom/security_policy.py | 6 +++++- src/confcom/azext_confcom/template_util.py | 17 ++++++++++++++--- 3 files changed, 21 insertions(+), 5 deletions(-) diff --git a/src/confcom/azext_confcom/rootfs_proxy.py b/src/confcom/azext_confcom/rootfs_proxy.py index 4acccf56b1f..746da54ba57 100644 --- a/src/confcom/azext_confcom/rootfs_proxy.py +++ b/src/confcom/azext_confcom/rootfs_proxy.py @@ -89,6 +89,7 @@ def get_policy_image_layers( self, image: str, tag: str, + platform: str = "linux/amd64", tar_location: str = "", faster_hashing=False ) -> List[str]: @@ -114,7 +115,7 @@ def get_policy_image_layers( arg_list += ["-b"] # add the image to the end of the parameter list - arg_list += ["roothash", "-i", f"{image_name}"] + arg_list += ["roothash", "-i", f"{image_name}", "--platform", platform] item = subprocess.run( arg_list, diff --git a/src/confcom/azext_confcom/security_policy.py b/src/confcom/azext_confcom/security_policy.py index 8ab29f52032..03fe2deae22 100644 --- a/src/confcom/azext_confcom/security_policy.py +++ b/src/confcom/azext_confcom/security_policy.py @@ -558,7 +558,11 @@ def populate_policy_content_for_all_images( tar_location = get_tar_location_from_mapping(tar_mapping, image_name) # populate layer info image.set_layers(proxy.get_policy_image_layers( - image.base, image.tag, tar_location=tar_location if tar else "", faster_hashing=faster_hashing + image.base, + image.tag, + platform=image_info.get("platform", "linux/amd64"), + tar_location=tar_location if tar else "", + faster_hashing=faster_hashing, )) progress.update() diff --git a/src/confcom/azext_confcom/template_util.py b/src/confcom/azext_confcom/template_util.py index c968695d5f7..a59103c0682 100644 --- a/src/confcom/azext_confcom/template_util.py +++ b/src/confcom/azext_confcom/template_util.py @@ -130,7 +130,10 @@ def get_image_info(progress, message_queue, tar_mapping, image): try: client = DockerClient().get_client() raw_image = client.images.get(image_name) - image_info = raw_image.attrs.get("Config") + image_info = { + "platform": "/".join([raw_image.attrs.get("Os"), raw_image.attrs.get("Architecture")]), + **raw_image.attrs.get("Config") + } message_queue.append( f"Using local version of {image_name}. It may differ from the remote image" ) @@ -149,8 +152,16 @@ def get_image_info(progress, message_queue, tar_mapping, image): # pull image to local daemon (if not in local # daemon) if not raw_image: - raw_image = client.images.pull(image_name) - image_info = raw_image.attrs.get("Config") + for platform in ["linux/amd64", "windows/amd64"]: + try: + raw_image = client.images.pull(image_name, platform=platform) + break + except (docker.errors.ImageNotFound, docker.errors.NotFound): + continue + image_info = { + "platform": "/".join([raw_image.attrs.get("Os"), raw_image.attrs.get("Architecture")]), + **raw_image.attrs.get("Config") + } except (docker.errors.ImageNotFound, docker.errors.NotFound): progress.close() eprint( From acf0de504258cc0a085508aab4762fa3996b5627 Mon Sep 17 00:00:00 2001 From: Dominic Ayre Date: Wed, 15 Oct 2025 17:08:06 +0100 Subject: [PATCH 02/21] Pull specific versions of integrity-vhd instead of latest --- src/confcom/azext_confcom/rootfs_proxy.py | 42 +++++++++++------------ 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/src/confcom/azext_confcom/rootfs_proxy.py b/src/confcom/azext_confcom/rootfs_proxy.py index 746da54ba57..70f1ef36173 100644 --- a/src/confcom/azext_confcom/rootfs_proxy.py +++ b/src/confcom/azext_confcom/rootfs_proxy.py @@ -32,28 +32,28 @@ def download_binaries(): if not os.path.exists(bin_folder): os.makedirs(bin_folder) - # get the most recent release artifacts from github - r = requests.get("https://api.github.com/repos/microsoft/integrity-vhd/releases") - r.raise_for_status() - needed_assets = ["dmverity-vhd", "dmverity-vhd.exe"] - # these should be newest to oldest - for release in r.json(): - # search for both windows and linux binaries - needed_asset_info = [asset for asset in release["assets"] if asset["name"] in needed_assets] - if len(needed_asset_info) == len(needed_assets): - for asset in needed_asset_info: - # say which version we're downloading - print(f"Downloading integrity-vhd version {release['tag_name']}") - # get the download url for the dmverity-vhd file - exe_url = asset["browser_download_url"] - # download the file - r = requests.get(exe_url) - r.raise_for_status() - # save the file to the bin folder + # These will normally be the same, I'm splitting them here to get the + # modified windows binary separately + asset_to_version = { + "dmverity-vhd": "v1.6", + "dmverity-vhd.exe": "dev-platform-support" + } + + for asset_name, release_version in asset_to_version.items(): + release_req = requests.get(f"https://api.github.com/repos/microsoft/integrity-vhd/releases/tags/{release_version}") + release_req.raise_for_status() + asset_found = False + for asset in release_req.json()["assets"]: + if asset["name"] == asset_name: + asset_found = True + print(f"Downloading integrity-vhd version {release_req.json()['tag_name']}") + asset_req = requests.get(asset["browser_download_url"]) + asset_req.raise_for_status() with open(os.path.join(bin_folder, asset["name"]), "wb") as f: - f.write(r.content) - # stop iterating through releases - break + f.write(asset_req.content) + break + assert asset_found, f"Could not find {asset} in release {release_version}" + def __init__(self): script_directory = os.path.dirname(os.path.realpath(__file__)) From cce8274a93d01c5f6410b4a10d936d1c39a9fc4c Mon Sep 17 00:00:00 2001 From: Dominic Ayre Date: Wed, 15 Oct 2025 17:08:55 +0100 Subject: [PATCH 03/21] Set version to be wcow --- src/confcom/setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/confcom/setup.py b/src/confcom/setup.py index df6c58e0180..01d39c192bc 100644 --- a/src/confcom/setup.py +++ b/src/confcom/setup.py @@ -19,7 +19,7 @@ logger.warn("Wheel is not available, disabling bdist_wheel hook") -VERSION = "1.3.0" +VERSION = "1.3.0-wcow" # The full list of classifiers is available at # https://pypi.python.org/pypi?%3Aaction=list_classifiers From 6f9464296f0e48ead423b5e7ce8f26e7a283b9c2 Mon Sep 17 00:00:00 2001 From: Dominic Ayre Date: Wed, 15 Oct 2025 17:15:07 +0100 Subject: [PATCH 04/21] Make version compliant --- src/confcom/setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/confcom/setup.py b/src/confcom/setup.py index 01d39c192bc..2e07bd8e697 100644 --- a/src/confcom/setup.py +++ b/src/confcom/setup.py @@ -19,7 +19,7 @@ logger.warn("Wheel is not available, disabling bdist_wheel hook") -VERSION = "1.3.0-wcow" +VERSION = "1.3.0-dev+wcow" # The full list of classifiers is available at # https://pypi.python.org/pypi?%3Aaction=list_classifiers From 88dae8a44ac9ae427da9d847b6ed21b2ae92017e Mon Sep 17 00:00:00 2001 From: Dominic Ayre Date: Fri, 17 Oct 2025 14:55:22 +0100 Subject: [PATCH 05/21] Make the policy windows shaped --- src/confcom/azext_confcom/config.py | 1 + src/confcom/azext_confcom/container.py | 27 +++++++--- .../data/customer_rego_policy_windows.txt | 30 +++++++++++ .../azext_confcom/data/internal_config.json | 2 +- src/confcom/azext_confcom/security_policy.py | 52 ++++++++++++++----- 5 files changed, 91 insertions(+), 21 deletions(-) create mode 100644 src/confcom/azext_confcom/data/customer_rego_policy_windows.txt diff --git a/src/confcom/azext_confcom/config.py b/src/confcom/azext_confcom/config.py index 7726d5c139b..f79a5c14e37 100644 --- a/src/confcom/azext_confcom/config.py +++ b/src/confcom/azext_confcom/config.py @@ -227,6 +227,7 @@ } """ CUSTOMER_REGO_POLICY = load_str_from_file(REGO_FILE_PATH) +CUSTOMER_REGO_POLICY_WINDOWS = load_str_from_file(f"{script_directory}/data/customer_rego_policy_windows.txt") CUSTOMER_REGO_FRAGMENT = load_str_from_file(REGO_FRAGMENT_FILE_PATH) # sidecar rego file SIDECAR_REGO_FILE = "./data/sidecar_rego_policy.txt" diff --git a/src/confcom/azext_confcom/container.py b/src/confcom/azext_confcom/container.py index fcdc063f33b..b72565a0d73 100644 --- a/src/confcom/azext_confcom/container.py +++ b/src/confcom/azext_confcom/container.py @@ -563,6 +563,7 @@ def from_json( mounts=mounts, allow_elevated=allow_elevated, extraEnvironmentRules=[], + platform=container_json["platform"], execProcesses=exec_processes, signals=signals, user=user, @@ -583,6 +584,7 @@ def __init__( allow_elevated: bool, id_val: str, extraEnvironmentRules: Dict, + platform: str = "linux/amd64", entrypoint: List[str] = None, capabilities: Dict = copy.deepcopy(_CAPABILITIES), user: Dict = copy.deepcopy(_DEFAULT_USER), @@ -615,6 +617,7 @@ def __init__( self._exec_processes = execProcesses or [] self._signals = signals or [] self._extraEnvironmentRules = extraEnvironmentRules + self._platform = platform def get_policy_json(self, omit_id: bool = False) -> str: return self._populate_policy_json_elements(omit_id=omit_id) @@ -764,16 +767,25 @@ def _populate_policy_json_elements(self, omit_id: bool = False) -> Dict[str, Any config.POLICY_FIELD_CONTAINERS_ELEMENTS_ENVS: self._get_environment_rules(), config.POLICY_FIELD_CONTAINERS_ELEMENTS_WORKINGDIR: self._workingDir, config.POLICY_FIELD_CONTAINERS_ELEMENTS_MOUNTS: self._get_mounts_json(), - config.POLICY_FIELD_CONTAINERS_ELEMENTS_ALLOW_ELEVATED: self._allow_elevated, config.POLICY_FIELD_CONTAINERS_ELEMENTS_EXEC_PROCESSES: self._exec_processes, config.POLICY_FIELD_CONTAINERS_ELEMENTS_SIGNAL_CONTAINER_PROCESSES: self._signals, - config.POLICY_FIELD_CONTAINERS_ELEMENTS_USER: self.get_user(), - config.POLICY_FIELD_CONTAINERS_ELEMENTS_CAPABILITIES: self._capabilities, - config.POLICY_FIELD_CONTAINERS_ELEMENTS_SECCOMP_PROFILE_SHA256: self._seccomp_profile_sha256, config.POLICY_FIELD_CONTAINERS_ELEMENTS_ALLOW_STDIO_ACCESS: self._allow_stdio_access, - config.POLICY_FIELD_CONTAINERS_ELEMENTS_NO_NEW_PRIVILEGES: not self._allow_privilege_escalation } + if self._platform.startswith("linux"): + elements.update({ + config.POLICY_FIELD_CONTAINERS_ELEMENTS_CAPABILITIES: self._capabilities, + config.POLICY_FIELD_CONTAINERS_ELEMENTS_SECCOMP_PROFILE_SHA256: self._seccomp_profile_sha256, + config.POLICY_FIELD_CONTAINERS_ELEMENTS_USER: self.get_user(), + config.POLICY_FIELD_CONTAINERS_ELEMENTS_ALLOW_ELEVATED: self._allow_elevated, + config.POLICY_FIELD_CONTAINERS_ELEMENTS_NO_NEW_PRIVILEGES: not self._allow_privilege_escalation, + }) + elif self._platform.startswith("windows"): + elements.update({ + config.POLICY_FIELD_CONTAINERS_ELEMENTS_USER: self.get_user()["user_idname"]["pattern"], + }) + + if not omit_id: elements[config.POLICY_FIELD_CONTAINERS_ID] = self._identifier # if we are omitting the id, we should remove the id value from the policy if it's in the name field @@ -793,13 +805,14 @@ def from_json( image.__class__ = UserContainerImage # inject default mounts for user container if (image.base not in config.BASELINE_SIDECAR_CONTAINERS) and (not is_vn2): - image.get_mounts().extend(_DEFAULT_MOUNTS) + if container_json["platform"].startswith("linux"): + image.get_mounts().extend(_DEFAULT_MOUNTS) if (image.base not in config.BASELINE_SIDECAR_CONTAINERS) and (is_vn2): image.get_mounts().extend(_DEFAULT_MOUNTS_VN2) # Start with the customer environment rules - env_rules = copy.deepcopy(_INJECTED_CUSTOMER_ENV_RULES) + env_rules = copy.deepcopy(_INJECTED_CUSTOMER_ENV_RULES) if container_json["platform"].startswith("linux") else dict() # If is_vn2, add the VN2 environment rules if is_vn2: env_rules += _INJECTED_SERVICE_VN2_ENV_RULES diff --git a/src/confcom/azext_confcom/data/customer_rego_policy_windows.txt b/src/confcom/azext_confcom/data/customer_rego_policy_windows.txt new file mode 100644 index 00000000000..f99f72b9202 --- /dev/null +++ b/src/confcom/azext_confcom/data/customer_rego_policy_windows.txt @@ -0,0 +1,30 @@ +package policy + +import future.keywords.every +import future.keywords.in + +api_version := %s +framework_version := "0.4.0" + +fragments := %s + +containers := %s + +allow_properties_access := %s +allow_dump_stacks := %s +allow_runtime_logging := %s +allow_environment_variable_dropping := %s + +create_container := data.framework.create_container +exec_in_container := data.framework.exec_in_container +exec_external := data.framework.exec_external +shutdown_container := data.framework.shutdown_container +signal_container_process := data.framework.signal_container_process +get_properties := data.framework.get_properties +dump_stacks := data.framework.dump_stacks +runtime_logging := data.framework.runtime_logging +load_fragment := data.framework.load_fragment +scratch_mount := data.framework.scratch_mount +mount_cims := data.framework.mount_cims + +reason := {"errors": data.framework.errors} \ No newline at end of file diff --git a/src/confcom/azext_confcom/data/internal_config.json b/src/confcom/azext_confcom/data/internal_config.json index 9a87356e721..d30bb76d454 100644 --- a/src/confcom/azext_confcom/data/internal_config.json +++ b/src/confcom/azext_confcom/data/internal_config.json @@ -4,7 +4,7 @@ "maxVersion": "1.0.0", "minVersion": "0.0.1" }, - "version_api": "0.10.0", + "version_api": "0.11.0", "openGCS": { "environmentVariables": [ { diff --git a/src/confcom/azext_confcom/security_policy.py b/src/confcom/azext_confcom/security_policy.py index 03fe2deae22..8cd52cdf696 100644 --- a/src/confcom/azext_confcom/security_policy.py +++ b/src/confcom/azext_confcom/security_policy.py @@ -40,6 +40,7 @@ process_mounts, process_mounts_from_config, readable_diff) +from azext_confcom.lib.images import get_image_platform from knack.log import get_logger from tqdm import tqdm @@ -67,6 +68,7 @@ def __init__( fragment_contents: Any = None, ) -> None: self._rootfs_proxy = None + self._platform = None self._policy_str = None self._policy_str_pp = None self._disable_stdio = disable_stdio @@ -129,6 +131,13 @@ def __init__( # parse and generate each container, either user or sidecar for c in containers: + + image_platform = c.get("platform", "linux/amd64") + if self._platform is None: + self._platform = image_platform + else: + assert self._platform == image_platform, "All images must have the same platform" + if not is_sidecar(c[config.POLICY_FIELD_CONTAINERS_ID]): container_image = UserContainerImage.from_json(c, is_vn2=is_vn2) else: @@ -200,17 +209,29 @@ def _add_rego_boilerplate(self, output: str) -> str: # get rid of fields that aren't strictly needed for the fragment import sanitized_fragments = sanitize_fragment_fields(self.get_fragments()) - return config.CUSTOMER_REGO_POLICY % ( - pretty_print_func(self._api_version), - pretty_print_func(sanitized_fragments), - output, - pretty_print_func(self._allow_properties_access), - pretty_print_func(self._allow_dump_stacks), - pretty_print_func(self._allow_runtime_logging), - pretty_print_func(self._allow_environment_variable_dropping), - pretty_print_func(self._allow_unencrypted_scratch), - pretty_print_func(self._allow_capability_dropping), - ) + + if self._platform.startswith("linux"): + return config.CUSTOMER_REGO_POLICY % ( + pretty_print_func(self._api_version), + pretty_print_func(sanitized_fragments), + output, + pretty_print_func(self._allow_properties_access), + pretty_print_func(self._allow_dump_stacks), + pretty_print_func(self._allow_runtime_logging), + pretty_print_func(self._allow_environment_variable_dropping), + pretty_print_func(self._allow_unencrypted_scratch), + pretty_print_func(self._allow_capability_dropping), + ) + elif self._platform.startswith("windows"): + return config.CUSTOMER_REGO_POLICY_WINDOWS % ( + pretty_print_func(self._api_version), + pretty_print_func(sanitized_fragments), + output, + pretty_print_func(self._allow_properties_access), + pretty_print_func(self._allow_dump_stacks), + pretty_print_func(self._allow_runtime_logging), + pretty_print_func(self._allow_environment_variable_dropping), + ) def validate_cce_policy(self) -> Tuple[bool, Dict]: """Utility method: check to see if the existing policy @@ -394,7 +415,8 @@ def _policy_serialization(self, pretty_print=False, include_sidecars: bool = Tru policy.append(image_dict) if (not is_sidecars or len(regular_container_images) == 0) and include_sidecars: # add in the default containers that have their hashes pre-computed - policy += copy.deepcopy(config.DEFAULT_CONTAINERS) + if self._platform.startswith("linux"): + policy += copy.deepcopy(config.DEFAULT_CONTAINERS) if self._disable_stdio: for container in policy: container[config.POLICY_FIELD_CONTAINERS_ELEMENTS_ALLOW_STDIO_ACCESS] = False @@ -560,7 +582,7 @@ def populate_policy_content_for_all_images( image.set_layers(proxy.get_policy_image_layers( image.base, image.tag, - platform=image_info.get("platform", "linux/amd64"), + platform=self._platform, tar_location=tar_location if tar else "", faster_hashing=faster_hashing, )) @@ -795,6 +817,7 @@ def load_policy_from_arm_template_str( config.ACI_FIELD_CONTAINERS_SECURITY_CONTEXT: case_insensitive_dict_get( image_properties, config.ACI_FIELD_TEMPLATE_SECURITY_CONTEXT ), + "platform": get_image_platform(image_name), } ) @@ -870,6 +893,8 @@ def load_policy_from_image_name( container[config.ACI_FIELD_CONTAINERS_CONTAINERIMAGE] = image_name container[config.ACI_FIELD_CONTAINERS_ALLOW_STDIO_ACCESS] = not disable_stdio + container["platform"] = get_image_platform(image_name) + containers.append(container) return AciPolicy( @@ -1033,6 +1058,7 @@ def load_policy_from_json( config.ACI_FIELD_CONTAINERS_SECURITY_CONTEXT: case_insensitive_dict_get( container_properties, config.ACI_FIELD_TEMPLATE_SECURITY_CONTEXT ), + "platform": get_image_platform(image_name), } ) From 261d815c3c029ad7b8f2630f5e0117766b771a9e Mon Sep 17 00:00:00 2001 From: Dominic Ayre Date: Mon, 3 Nov 2025 11:56:00 +0000 Subject: [PATCH 06/21] Support --debug-mode --- src/confcom/.gitignore | 2 ++ src/confcom/azext_confcom/config.py | 1 + .../azext_confcom/data/internal_config.json | 23 +++++++++++++ src/confcom/azext_confcom/lib/defaults.py | 13 +++++++ src/confcom/azext_confcom/lib/images.py | 34 +++++++++++++++++++ src/confcom/azext_confcom/security_policy.py | 19 +++++------ 6 files changed, 82 insertions(+), 10 deletions(-) create mode 100644 src/confcom/azext_confcom/lib/defaults.py create mode 100644 src/confcom/azext_confcom/lib/images.py diff --git a/src/confcom/.gitignore b/src/confcom/.gitignore index 562e4134172..6d554baf4b2 100644 --- a/src/confcom/.gitignore +++ b/src/confcom/.gitignore @@ -36,3 +36,5 @@ azext_confcom/bin/* **/.coverage **/htmlcov + +!lib/ diff --git a/src/confcom/azext_confcom/config.py b/src/confcom/azext_confcom/config.py index f79a5c14e37..afec4f49971 100644 --- a/src/confcom/azext_confcom/config.py +++ b/src/confcom/azext_confcom/config.py @@ -211,6 +211,7 @@ DEFAULT_REGO_FRAGMENTS = _config["default_rego_fragments"] # things that need to be set for debug mode DEBUG_MODE_SETTINGS = _config["debugMode"] +DEBUG_MODE_SETTINGS_WINDOWS = _config["debugModeWindows"] # reserved fragment names for existing pieces of Rego RESERVED_FRAGMENT_NAMES = _config["reserved_fragment_namespaces"] # fragment artifact type diff --git a/src/confcom/azext_confcom/data/internal_config.json b/src/confcom/azext_confcom/data/internal_config.json index d30bb76d454..9df4fbcd70e 100644 --- a/src/confcom/azext_confcom/data/internal_config.json +++ b/src/confcom/azext_confcom/data/internal_config.json @@ -193,6 +193,29 @@ "allowCapabilityDropping": true, "allowUnencryptedScratch": false }, + "debugModeWindows": { + "environmentVariables": [ + { + "name": ".+", + "value": ".+", + "strategy": "re2", + "required": false + } + ], + "execProcesses": [ + { + "command": [ + "cmd.exe" + ], + "signals": [], + "allow_stdio_access": true + } + ], + "allowPropertiesAccess": true, + "allowDumpStacks": true, + "allowRuntimeLogging": true, + "allowEnvironmentVariableDropping": true + }, "containerd": { "defaultWorkingDir": "/" }, diff --git a/src/confcom/azext_confcom/lib/defaults.py b/src/confcom/azext_confcom/lib/defaults.py new file mode 100644 index 00000000000..6cba801f1e4 --- /dev/null +++ b/src/confcom/azext_confcom/lib/defaults.py @@ -0,0 +1,13 @@ +from azext_confcom import config + +def get_debug_mode_exec_procs(debug_mode: bool, platform: str) -> list: + + if not debug_mode: + return [] + + if platform.startswith("linux"): + return config.DEBUG_MODE_SETTINGS.get(config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES) + elif platform.startswith("windows"): + return config.DEBUG_MODE_SETTINGS_WINDOWS.get(config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES) + else: + raise ValueError(f"Unsupported platform for debug mode settings: {platform}") diff --git a/src/confcom/azext_confcom/lib/images.py b/src/confcom/azext_confcom/lib/images.py new file mode 100644 index 00000000000..c3cd003015c --- /dev/null +++ b/src/confcom/azext_confcom/lib/images.py @@ -0,0 +1,34 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# -------------------------------------------------------------------------------------------- + +import docker +import functools + + +SUPPORTED_PLATFORMS = [ + "linux/amd64", + "windows/amd64", +] + + +@functools.lru_cache() +def pull_image(image_reference: str) -> docker.models.images.Image: + client = docker.from_env() + + for platform in SUPPORTED_PLATFORMS: + try: + image = client.images.pull(image_reference, platform=platform) + return image + except (docker.errors.ImageNotFound, docker.errors.NotFound): + continue + + raise ValueError(f"Image '{image_reference}' not found for any supported platform: {SUPPORTED_PLATFORMS}") + + +def get_image_platform(image_reference: str) -> str: + return "/".join([ + pull_image(image_reference).attrs['Os'], + pull_image(image_reference).attrs['Architecture'] + ]) diff --git a/src/confcom/azext_confcom/security_policy.py b/src/confcom/azext_confcom/security_policy.py index 8cd52cdf696..ef49147c3de 100644 --- a/src/confcom/azext_confcom/security_policy.py +++ b/src/confcom/azext_confcom/security_policy.py @@ -41,6 +41,7 @@ process_mounts_from_config, readable_diff) from azext_confcom.lib.images import get_image_platform +from azext_confcom.lib.defaults import get_debug_mode_exec_procs from knack.log import get_logger from tqdm import tqdm @@ -795,6 +796,8 @@ def load_policy_from_arm_template_str( extract_probe(exec_processes, image_properties, config.ACI_FIELD_CONTAINERS_READINESS_PROBE) extract_probe(exec_processes, image_properties, config.ACI_FIELD_CONTAINERS_LIVENESS_PROBE) + platform = get_image_platform(image_name) + containers.append( { config.ACI_FIELD_CONTAINERS_ID: image_name, @@ -808,16 +811,13 @@ def load_policy_from_arm_template_str( or [], config.ACI_FIELD_CONTAINERS_MOUNTS: process_mounts(image_properties, volumes) + process_configmap(image_properties), - config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES: exec_processes - + config.DEBUG_MODE_SETTINGS.get(config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES) - if debug_mode - else exec_processes, + config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES: exec_processes + get_debug_mode_exec_procs(debug_mode, platform), config.ACI_FIELD_CONTAINERS_SIGNAL_CONTAINER_PROCESSES: [], config.ACI_FIELD_CONTAINERS_ALLOW_STDIO_ACCESS: not disable_stdio, config.ACI_FIELD_CONTAINERS_SECURITY_CONTEXT: case_insensitive_dict_get( image_properties, config.ACI_FIELD_TEMPLATE_SECURITY_CONTEXT ), - "platform": get_image_platform(image_name), + "platform": platform, } ) @@ -1038,6 +1038,8 @@ def load_policy_from_json( envs += process_env_vars_from_config(container_properties) + platform = get_image_platform(image_name) + output_containers.append( { config.ACI_FIELD_CONTAINERS_ID: image_name, @@ -1049,16 +1051,13 @@ def load_policy_from_json( container_properties, config.ACI_FIELD_TEMPLATE_COMMAND ) or [], config.ACI_FIELD_CONTAINERS_MOUNTS: mounts, - config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES: exec_processes - + config.DEBUG_MODE_SETTINGS.get(config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES) - if debug_mode - else exec_processes, + config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES: exec_processes + get_debug_mode_exec_procs(debug_mode, platform), config.ACI_FIELD_CONTAINERS_SIGNAL_CONTAINER_PROCESSES: [], config.ACI_FIELD_CONTAINERS_ALLOW_STDIO_ACCESS: not disable_stdio, config.ACI_FIELD_CONTAINERS_SECURITY_CONTEXT: case_insensitive_dict_get( container_properties, config.ACI_FIELD_TEMPLATE_SECURITY_CONTEXT ), - "platform": get_image_platform(image_name), + "platform": platform, } ) From 7633693f17ff30db662da2c432ca5139ce8f6a19 Mon Sep 17 00:00:00 2001 From: Dominic Ayre Date: Mon, 3 Nov 2025 12:00:41 +0000 Subject: [PATCH 07/21] Make lib a module --- src/confcom/azext_confcom/lib/__init__.py | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 src/confcom/azext_confcom/lib/__init__.py diff --git a/src/confcom/azext_confcom/lib/__init__.py b/src/confcom/azext_confcom/lib/__init__.py new file mode 100644 index 00000000000..e69de29bb2d From 5a4707f7802781d3da4be2d99de265f68ac5e4c0 Mon Sep 17 00:00:00 2001 From: Dominic Ayre Date: Mon, 3 Nov 2025 12:19:47 +0000 Subject: [PATCH 08/21] Only add platform flag on windows --- src/confcom/azext_confcom/rootfs_proxy.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/confcom/azext_confcom/rootfs_proxy.py b/src/confcom/azext_confcom/rootfs_proxy.py index 70f1ef36173..df45d764ce9 100644 --- a/src/confcom/azext_confcom/rootfs_proxy.py +++ b/src/confcom/azext_confcom/rootfs_proxy.py @@ -115,7 +115,10 @@ def get_policy_image_layers( arg_list += ["-b"] # add the image to the end of the parameter list - arg_list += ["roothash", "-i", f"{image_name}", "--platform", platform] + arg_list += ["roothash", "-i", f"{image_name}"] + + if platform.startswith("windows"): + arg_list += ["--platform", platform] item = subprocess.run( arg_list, From 8952513cc87127073d4c40d9a5356133a50b1d65 Mon Sep 17 00:00:00 2001 From: Tingmao Wang Date: Wed, 1 Apr 2026 14:54:33 +0100 Subject: [PATCH 09/21] Use updated integrity-vhd for fixed C-WCOW policy gen --- src/confcom/azext_confcom/rootfs_proxy.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/confcom/azext_confcom/rootfs_proxy.py b/src/confcom/azext_confcom/rootfs_proxy.py index e2ac5729e19..434b746d76c 100644 --- a/src/confcom/azext_confcom/rootfs_proxy.py +++ b/src/confcom/azext_confcom/rootfs_proxy.py @@ -27,13 +27,13 @@ _dmverity_vhd_binaries = { "Linux": { "path": _binaries_dir / "dmverity-vhd", - "url": "https://github.com/microsoft/integrity-vhd/releases/download/v1.6/dmverity-vhd", - "sha256": "b8cf3fa3594e48070a31aa538d5b4b40d5b33b8ac18bc25a1816245159648fb0", + "url": "https://github.com/microsoft/integrity-vhd/releases/download/dev-cwcow-20260401/dmverity-vhd", + "sha256": "61fed52f6a0aee47b2d0a1316b1153f868f25a84daa94b0de37ce4b2e8c6254c", }, "Windows": { "path": _binaries_dir / "dmverity-vhd.exe", - "url": "https://github.com/microsoft/integrity-vhd/releases/download/dev-platform-support/dmverity-vhd.exe", - "sha256": "ca0f95d798323f3ef26feb036112be9019f5ceaa6233ee2a65218d5a143ae474", + "url": "https://github.com/microsoft/integrity-vhd/releases/download/dev-cwcow-20260401/dmverity-vhd.exe", + "sha256": "f4ec22b1b5f42e1f6621ee8d4c7588ed334e7719e155b588d05e773b3b23941e", }, } From 413707df93ab2a629212a8fe3803e8f2316e44ca Mon Sep 17 00:00:00 2001 From: Tingmao Wang Date: Wed, 1 Apr 2026 16:45:46 +0100 Subject: [PATCH 10/21] Support windows images also in the new "containers from_image" command --- src/confcom/azext_confcom/_help.py | 2 +- .../azext_confcom/command/containers_from_image.py | 4 ++-- .../azext_confcom/command/containers_from_vn2.py | 2 +- src/confcom/azext_confcom/custom.py | 2 +- src/confcom/azext_confcom/lib/containers.py | 12 ++++++++---- src/confcom/azext_confcom/lib/images.py | 10 ++++++++-- .../latest/test_confcom_containers_from_image.py | 2 +- 7 files changed, 22 insertions(+), 12 deletions(-) diff --git a/src/confcom/azext_confcom/_help.py b/src/confcom/azext_confcom/_help.py index 031f439e004..ef2d2f3e08f 100644 --- a/src/confcom/azext_confcom/_help.py +++ b/src/confcom/azext_confcom/_help.py @@ -340,7 +340,7 @@ parameters: - name: --platform type: str - short-summary: 'The name of the platform the container definition will run on' + short-summary: 'The name of the platform the container definition will run on. Must be either "aci" or "vn2".' examples: diff --git a/src/confcom/azext_confcom/command/containers_from_image.py b/src/confcom/azext_confcom/command/containers_from_image.py index 72560a5317b..7b488d23c10 100644 --- a/src/confcom/azext_confcom/command/containers_from_image.py +++ b/src/confcom/azext_confcom/command/containers_from_image.py @@ -8,5 +8,5 @@ from azext_confcom.lib.containers import from_image as lib_containers_from_image -def containers_from_image(image: str, platform: str) -> None: - print(json.dumps(lib_containers_from_image(image, platform))) +def containers_from_image(image: str, aci_or_vn2: str) -> None: + print(json.dumps(lib_containers_from_image(image, aci_or_vn2))) diff --git a/src/confcom/azext_confcom/command/containers_from_vn2.py b/src/confcom/azext_confcom/command/containers_from_vn2.py index 1d4998b8183..4a0c657939c 100644 --- a/src/confcom/azext_confcom/command/containers_from_vn2.py +++ b/src/confcom/azext_confcom/command/containers_from_vn2.py @@ -192,7 +192,7 @@ def containers_from_vn2( container_defs = [] for template_container, template_doc in template_containers: - image_container_def = container_from_image(template_container.get("image"), platform="vn2") + image_container_def = container_from_image(template_container.get("image"), aci_or_vn2="vn2") template_container_def = { "name": template_container.get("name"), diff --git a/src/confcom/azext_confcom/custom.py b/src/confcom/azext_confcom/custom.py index ff2b03f6b6e..dca86e5bc7b 100644 --- a/src/confcom/azext_confcom/custom.py +++ b/src/confcom/azext_confcom/custom.py @@ -581,7 +581,7 @@ def containers_from_image( ) -> None: _containers_from_image( image=image, - platform=platform, + aci_or_vn2=platform, ) diff --git a/src/confcom/azext_confcom/lib/containers.py b/src/confcom/azext_confcom/lib/containers.py index 4a0523ff3f0..f4ed12b7906 100644 --- a/src/confcom/azext_confcom/lib/containers.py +++ b/src/confcom/azext_confcom/lib/containers.py @@ -3,8 +3,9 @@ # Licensed under the MIT License. See License.txt in the project root for license information. # -------------------------------------------------------------------------------------------- +from typing import Optional from dataclasses import asdict -from azext_confcom.lib.images import get_image_layers, get_image_config +from azext_confcom.lib.images import get_image_layers, get_image_config, get_image_platform from azext_confcom.lib.platform import ACI_MOUNTS, VN2_MOUNTS @@ -35,17 +36,20 @@ def merge_containers(*args) -> dict: return merged_container -def from_image(image: str, platform: str) -> dict: +def from_image(image: str, aci_or_vn2: str) -> dict: mounts = { "aci": [asdict(mount) for mount in ACI_MOUNTS], "vn2": VN2_MOUNTS, - }.get(platform, None) + }.get(aci_or_vn2, None) + + image_platform = get_image_platform(image) return { "id": image, "name": image, - "layers": get_image_layers(image), + "layers": get_image_layers(image, platform=image_platform), + "platform": image_platform, **({"mounts": mounts} if mounts else {}), **get_image_config(image), } diff --git a/src/confcom/azext_confcom/lib/images.py b/src/confcom/azext_confcom/lib/images.py index cd5f5d931ab..d72d963fd30 100644 --- a/src/confcom/azext_confcom/lib/images.py +++ b/src/confcom/azext_confcom/lib/images.py @@ -54,13 +54,19 @@ def get_image_platform(image_reference: str) -> str: ]) -def get_image_layers(image: str) -> list[str]: +def get_image_layers(image: str, platform: str = "linux/amd64") -> list[str]: binary_path = Path(__file__).parent.parent / "bin" / "dmverity-vhd" get_image(image) + + arg_list = [binary_path.as_posix(), "-d", "roothash", "-i", image] + + if platform: + arg_list += ["--platform", platform] + result = subprocess.run( - [binary_path.as_posix(), "-d", "roothash", "-i", image], + arg_list, stdout=subprocess.PIPE, stderr=subprocess.DEVNULL, check=True, diff --git a/src/confcom/azext_confcom/tests/latest/test_confcom_containers_from_image.py b/src/confcom/azext_confcom/tests/latest/test_confcom_containers_from_image.py index ff94812c09f..f02d72a9b72 100644 --- a/src/confcom/azext_confcom/tests/latest/test_confcom_containers_from_image.py +++ b/src/confcom/azext_confcom/tests/latest/test_confcom_containers_from_image.py @@ -59,7 +59,7 @@ def test_containers_from_image(sample_directory: str, platform: str): with redirect_stdout(buffer): containers_from_image( image=f"confcom_test_{sample_directory.name}", - platform=platform, + aci_or_vn2=platform, ) actual_container_def = json.loads(buffer.getvalue()) From d9c63da187590aadf0061d8e576aeaec227186aa Mon Sep 17 00:00:00 2001 From: Tingmao Wang Date: Thu, 9 Apr 2026 18:56:07 +0100 Subject: [PATCH 11/21] [confcom]: acipolicygen: Fix missing platform field in generated policy config for vn2 --- src/confcom/azext_confcom/security_policy.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/confcom/azext_confcom/security_policy.py b/src/confcom/azext_confcom/security_policy.py index 0279fee6393..d44b3d85f7a 100644 --- a/src/confcom/azext_confcom/security_policy.py +++ b/src/confcom/azext_confcom/security_policy.py @@ -1325,6 +1325,8 @@ def load_policy_from_virtual_node_yaml_str( extract_lifecycle_hook(exec_processes, container, config.VIRTUAL_NODE_YAML_LIFECYCLE_POST_START) extract_lifecycle_hook(exec_processes, container, config.VIRTUAL_NODE_YAML_LIFECYCLE_PRE_STOP) + platform = get_image_platform(image) + policy_containers.append( { config.ACI_FIELD_CONTAINERS_ID: image, @@ -1335,13 +1337,11 @@ def load_policy_from_virtual_node_yaml_str( config.ACI_FIELD_TEMPLATE_ENTRYPOINT: command, config.ACI_FIELD_CONTAINERS_COMMAND: args, config.ACI_FIELD_CONTAINERS_MOUNTS: mounts, - config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES: exec_processes - + config.DEBUG_MODE_SETTINGS.get(config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES) - if debug_mode - else exec_processes, + config.ACI_FIELD_CONTAINERS_EXEC_PROCESSES: exec_processes + get_debug_mode_exec_procs(debug_mode, platform), config.ACI_FIELD_CONTAINERS_SIGNAL_CONTAINER_PROCESSES: [], config.ACI_FIELD_CONTAINERS_ALLOW_STDIO_ACCESS: not disable_stdio, - config.ACI_FIELD_CONTAINERS_SECURITY_CONTEXT: security_context + config.ACI_FIELD_CONTAINERS_SECURITY_CONTEXT: security_context, + "platform": platform, } ) all_policies.append( From 59627edfb73e1f53e8463b62e4397cb1d28344a5 Mon Sep 17 00:00:00 2001 From: Mahati Chamarthy Date: Mon, 13 Apr 2026 12:25:21 +0100 Subject: [PATCH 12/21] Update tooling to consume json --- src/confcom/azext_confcom/config.py | 1 + src/confcom/azext_confcom/container.py | 10 ++++++ src/confcom/azext_confcom/rootfs_proxy.py | 33 +++++++++++++++----- src/confcom/azext_confcom/security_policy.py | 13 ++++++-- 4 files changed, 46 insertions(+), 11 deletions(-) diff --git a/src/confcom/azext_confcom/config.py b/src/confcom/azext_confcom/config.py index afec4f49971..664c93f4b95 100644 --- a/src/confcom/azext_confcom/config.py +++ b/src/confcom/azext_confcom/config.py @@ -127,6 +127,7 @@ POLICY_FIELD_CONTAINERS_ELEMENTS_ENVS_RULE = "pattern" POLICY_FIELD_CONTAINERS_ELEMENTS_REQUIRED = "required" POLICY_FIELD_CONTAINERS_ELEMENTS_LAYERS = "layers" +POLICY_FIELD_CONTAINERS_ELEMENTS_MOUNTED_CIM = "mounted_cim" POLICY_FIELD_CONTAINERS_ELEMENTS_WORKINGDIR = "working_dir" POLICY_FIELD_CONTAINERS_ELEMENTS_MOUNTS = "mounts" POLICY_FIELD_CONTAINERS_ELEMENTS_MOUNTS_SOURCE = "source" diff --git a/src/confcom/azext_confcom/container.py b/src/confcom/azext_confcom/container.py index b72565a0d73..c38ca6b4e20 100644 --- a/src/confcom/azext_confcom/container.py +++ b/src/confcom/azext_confcom/container.py @@ -606,6 +606,7 @@ def __init__( self._command = command self._workingDir = workingDir self._layers = [] + self._mounted_cim = [] self._mounts = mounts self._allow_elevated = allow_elevated self._allow_stdio_access = allowStdioAccess @@ -661,6 +662,12 @@ def get_layers(self) -> List[str]: def set_layers(self, layers: List[str]) -> None: self._layers = layers + def get_mounted_cim(self) -> List[str]: + return self._mounted_cim + + def set_mounted_cim(self, mounted_cim: List[str]) -> None: + self._mounted_cim = mounted_cim + def get_user(self) -> Dict: return self._user @@ -784,6 +791,9 @@ def _populate_policy_json_elements(self, omit_id: bool = False) -> Dict[str, Any elements.update({ config.POLICY_FIELD_CONTAINERS_ELEMENTS_USER: self.get_user()["user_idname"]["pattern"], }) + # Add mounted_cim for Windows if present + if self._mounted_cim: + elements[config.POLICY_FIELD_CONTAINERS_ELEMENTS_MOUNTED_CIM] = self._mounted_cim if not omit_id: diff --git a/src/confcom/azext_confcom/rootfs_proxy.py b/src/confcom/azext_confcom/rootfs_proxy.py index 434b746d76c..368598991e2 100644 --- a/src/confcom/azext_confcom/rootfs_proxy.py +++ b/src/confcom/azext_confcom/rootfs_proxy.py @@ -5,12 +5,13 @@ import hashlib +import json import os import platform import stat import subprocess import sys -from typing import List +from typing import List, Dict import requests from azext_confcom.errors import eprint @@ -91,7 +92,7 @@ def get_policy_image_layers( platform: str = "linux/amd64", tar_location: str = "", faster_hashing=False - ) -> List[str]: + ) -> Dict[str, List[str]]: image_name = f"{image}:{tag}" # populate layer info if self.layer_cache.get(image_name): @@ -125,7 +126,7 @@ def get_policy_image_layers( check=False, ) - output = [] + result = {} if item.returncode != 0: if item.stderr.decode("utf-8") != "" and item.stderr.decode("utf-8") is not None: logger.warning(item.stderr.decode("utf-8")) @@ -137,13 +138,29 @@ def get_policy_image_layers( ) sys.exit(item.returncode) elif len(item.stdout) > 0: - output = item.stdout.decode("utf8").strip("\n").split("\n") - output = [i.split(": ", 1)[1] for i in output if len(i.split(": ", 1)) > 1] + stdout_str = item.stdout.decode("utf8").strip() + + # Try parsing as JSON (both Linux and Windows now output JSON) + if stdout_str.startswith("{"): + try: + json_output = json.loads(stdout_str) + result["layers"] = json_output.get("layers", []) + # mounted_cim is only present for Windows + if "mounted_cim" in json_output: + result["mounted_cim"] = json_output["mounted_cim"] + except json.JSONDecodeError as e: + logger.error(f"Failed to parse JSON output: {e}") + sys.exit(1) + else: + # Fallback: line-by-line parsing for older dmverity-vhd versions + lines = stdout_str.split("\n") + layers = [i.split(": ", 1)[1] for i in lines if len(i.split(": ", 1)) > 1] + result["layers"] = layers else: eprint( "Could not get layer hashes" ) - # cache output layers - self.layer_cache[image_name] = output - return output + # cache output + self.layer_cache[image_name] = result + return result diff --git a/src/confcom/azext_confcom/security_policy.py b/src/confcom/azext_confcom/security_policy.py index d44b3d85f7a..4bea4f576c5 100644 --- a/src/confcom/azext_confcom/security_policy.py +++ b/src/confcom/azext_confcom/security_policy.py @@ -597,13 +597,17 @@ def populate_policy_content_for_all_images( if isinstance(tar_mapping, dict): tar_location = get_tar_location_from_mapping(tar_mapping, image_name) # populate layer info - image.set_layers(proxy.get_policy_image_layers( + layer_info = proxy.get_policy_image_layers( image.base, image.tag, platform=self._platform, tar_location=tar_location if tar else "", faster_hashing=faster_hashing, - )) + ) + image.set_layers(layer_info.get("layers", [])) + # Set mounted_cim for Windows containers + if "mounted_cim" in layer_info: + image.set_mounted_cim(layer_info["mounted_cim"]) progress.update() progress.close() @@ -812,7 +816,10 @@ def load_policy_from_arm_template_str( extract_probe(exec_processes, image_properties, config.ACI_FIELD_CONTAINERS_READINESS_PROBE) extract_probe(exec_processes, image_properties, config.ACI_FIELD_CONTAINERS_LIVENESS_PROBE) - platform = get_image_platform(image_name) + # Use platform from template if specified, otherwise try to auto-detect from image + platform = case_insensitive_dict_get(image_properties, "platform") + if not platform: + platform = get_image_platform(image_name) containers.append( { From 28eec7d8331bc14dddf9209a94a52ef874b2b759 Mon Sep 17 00:00:00 2001 From: Mahati Chamarthy Date: Fri, 10 Apr 2026 12:03:40 +0100 Subject: [PATCH 13/21] Bump framework version for windows --- src/confcom/azext_confcom/data/customer_rego_policy_windows.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/confcom/azext_confcom/data/customer_rego_policy_windows.txt b/src/confcom/azext_confcom/data/customer_rego_policy_windows.txt index f99f72b9202..f0b3bb7bcad 100644 --- a/src/confcom/azext_confcom/data/customer_rego_policy_windows.txt +++ b/src/confcom/azext_confcom/data/customer_rego_policy_windows.txt @@ -4,7 +4,7 @@ import future.keywords.every import future.keywords.in api_version := %s -framework_version := "0.4.0" +framework_version := "0.4.1" fragments := %s From 358bd33d399f91f66dff20739a800d29046ec482 Mon Sep 17 00:00:00 2001 From: Mahati Chamarthy Date: Fri, 10 Apr 2026 15:37:53 +0100 Subject: [PATCH 14/21] Update dll requirements And add a fix to framework for rw_mount --- src/confcom/README.md | 3 +++ src/confcom/azext_confcom/data/customer_rego_policy.txt | 1 + 2 files changed, 4 insertions(+) diff --git a/src/confcom/README.md b/src/confcom/README.md index fa5e8d19f87..43aa92a82b9 100644 --- a/src/confcom/README.md +++ b/src/confcom/README.md @@ -29,6 +29,9 @@ ``` - Windows: [Docker Desktop](https://www.docker.com/products/docker-desktop) and [WSL2](https://docs.microsoft.com/en-us/windows/wsl/install) +- **CimWriter.dll** (Windows only, for Windows container support) + - Required for generating security policies for Windows containers + - Windows Server 2025 or newer is recommended for deterministic hash generation ## Installation Instructions (End User) diff --git a/src/confcom/azext_confcom/data/customer_rego_policy.txt b/src/confcom/azext_confcom/data/customer_rego_policy.txt index d3b891c04b0..56b1ef7fbcd 100644 --- a/src/confcom/azext_confcom/data/customer_rego_policy.txt +++ b/src/confcom/azext_confcom/data/customer_rego_policy.txt @@ -34,5 +34,6 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} \ No newline at end of file From 2efb197b3a71bd3e6411a31323e9728e06e8115b Mon Sep 17 00:00:00 2001 From: Mahati Chamarthy Date: Fri, 10 Apr 2026 17:37:17 +0100 Subject: [PATCH 15/21] Bump confcom version 2.0.0 and pick v2.0 dmverity-vhd release --- src/confcom/HISTORY.rst | 5 +++++ src/confcom/azext_confcom/rootfs_proxy.py | 8 ++++---- src/confcom/setup.py | 2 +- 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/src/confcom/HISTORY.rst b/src/confcom/HISTORY.rst index 30bae35cc27..48df38a2096 100644 --- a/src/confcom/HISTORY.rst +++ b/src/confcom/HISTORY.rst @@ -3,6 +3,11 @@ Release History =============== +2.0.0 ++++++ +* Add Windows container support with CIM-based layer hashing +* Support for mounted_cim field in security policies for Windows containers + 1.8.0 +++++ * Ensure that fragments are attached to the correct manifest for a multiarch image. diff --git a/src/confcom/azext_confcom/rootfs_proxy.py b/src/confcom/azext_confcom/rootfs_proxy.py index 368598991e2..f2b93d77c3d 100644 --- a/src/confcom/azext_confcom/rootfs_proxy.py +++ b/src/confcom/azext_confcom/rootfs_proxy.py @@ -28,13 +28,13 @@ _dmverity_vhd_binaries = { "Linux": { "path": _binaries_dir / "dmverity-vhd", - "url": "https://github.com/microsoft/integrity-vhd/releases/download/dev-cwcow-20260401/dmverity-vhd", - "sha256": "61fed52f6a0aee47b2d0a1316b1153f868f25a84daa94b0de37ce4b2e8c6254c", + "url": "https://github.com/microsoft/integrity-vhd/releases/download/v2.0/dmverity-vhd", + "sha256": "e7ad858fef018acd7d8a4ccb74f1b7a9cc1b3d6db5a7f8da5a259f71b26c12ea", }, "Windows": { "path": _binaries_dir / "dmverity-vhd.exe", - "url": "https://github.com/microsoft/integrity-vhd/releases/download/dev-cwcow-20260401/dmverity-vhd.exe", - "sha256": "f4ec22b1b5f42e1f6621ee8d4c7588ed334e7719e155b588d05e773b3b23941e", + "url": "https://github.com/microsoft/integrity-vhd/releases/download/v2.0/dmverity-vhd.exe", + "sha256": "6ef425c4bd07739d9cc90e57488985c1fca41f8d106fc816123b95b6305ee0af", }, } diff --git a/src/confcom/setup.py b/src/confcom/setup.py index d5299468065..4ecc4aeb1a2 100644 --- a/src/confcom/setup.py +++ b/src/confcom/setup.py @@ -19,7 +19,7 @@ logger.warn("Wheel is not available, disabling bdist_wheel hook") -VERSION = "1.8.0-dev+wcow" +VERSION = "2.0.0" # The full list of classifiers is available at # https://pypi.python.org/pypi?%3Aaction=list_classifiers From a8acdb92f313b3eded9ea27105984e9b9c0032c1 Mon Sep 17 00:00:00 2001 From: Tingmao Wang Date: Mon, 13 Apr 2026 18:20:47 +0100 Subject: [PATCH 16/21] [confcom] Update policy api version for "new style" command too --- src/confcom/azext_confcom/data/README | 1 + src/confcom/azext_confcom/lib/policy.py | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 src/confcom/azext_confcom/data/README diff --git a/src/confcom/azext_confcom/data/README b/src/confcom/azext_confcom/data/README new file mode 100644 index 00000000000..dd32c749908 --- /dev/null +++ b/src/confcom/azext_confcom/data/README @@ -0,0 +1 @@ +internal_config.json and customer_rego_policy.txt are obsolete versions to be removed, new work should happen in src/confcom/azext_confcom/lib/policy.py diff --git a/src/confcom/azext_confcom/lib/policy.py b/src/confcom/azext_confcom/lib/policy.py index 748ed55d0ff..2de1610dc00 100644 --- a/src/confcom/azext_confcom/lib/policy.py +++ b/src/confcom/azext_confcom/lib/policy.py @@ -106,7 +106,7 @@ class Container: @dataclass class Policy: package: str = "policy" - api_version: str = "0.10.0" + api_version: str = "0.11.0" framework_version: str = "0.2.3" fragments: List[FragmentReference] = OrderlessField(default_factory=list) containers: List[Container] = OrderlessField(default_factory=list) From 8889074f56f01ceff27bb4f7fccf782cd47e69d3 Mon Sep 17 00:00:00 2001 From: Tingmao Wang Date: Mon, 13 Apr 2026 18:23:27 +0100 Subject: [PATCH 17/21] [confcom] Make the to-be-released version 2.0.0b1 instead of an actual 2.0.0 Suggested-by: Ken Gordon --- src/confcom/HISTORY.rst | 2 +- src/confcom/azext_confcom/azext_metadata.json | 5 +++-- src/confcom/setup.py | 2 +- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/src/confcom/HISTORY.rst b/src/confcom/HISTORY.rst index 48df38a2096..6b373c19eed 100644 --- a/src/confcom/HISTORY.rst +++ b/src/confcom/HISTORY.rst @@ -3,7 +3,7 @@ Release History =============== -2.0.0 +2.0.0b1 +++++ * Add Windows container support with CIM-based layer hashing * Support for mounted_cim field in security policies for Windows containers diff --git a/src/confcom/azext_confcom/azext_metadata.json b/src/confcom/azext_confcom/azext_metadata.json index 906e368a65c..316f36c41c2 100644 --- a/src/confcom/azext_confcom/azext_metadata.json +++ b/src/confcom/azext_confcom/azext_metadata.json @@ -1,3 +1,4 @@ { - "azext.minCliCoreVersion": "2.26.2" -} \ No newline at end of file + "azext.minCliCoreVersion": "2.26.2", + "azext.isPreview": true +} diff --git a/src/confcom/setup.py b/src/confcom/setup.py index 4ecc4aeb1a2..619dc9c9ce3 100644 --- a/src/confcom/setup.py +++ b/src/confcom/setup.py @@ -19,7 +19,7 @@ logger.warn("Wheel is not available, disabling bdist_wheel hook") -VERSION = "2.0.0" +VERSION = "2.0.0b1" # The full list of classifiers is available at # https://pypi.python.org/pypi?%3Aaction=list_classifiers From ace2f5044d7bbf056c227a6caf00a7ed8aa36db3 Mon Sep 17 00:00:00 2001 From: Tingmao Wang Date: Tue, 14 Apr 2026 09:49:13 +0100 Subject: [PATCH 18/21] Update azext_confcom/data/README --- src/confcom/azext_confcom/data/README | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/confcom/azext_confcom/data/README b/src/confcom/azext_confcom/data/README index dd32c749908..bd324ae2744 100644 --- a/src/confcom/azext_confcom/data/README +++ b/src/confcom/azext_confcom/data/README @@ -1 +1 @@ -internal_config.json and customer_rego_policy.txt are obsolete versions to be removed, new work should happen in src/confcom/azext_confcom/lib/policy.py +internal_config.json and customer_rego_policy.txt are used by the "old style" acipolicygen command. New work should (also) happen in src/confcom/azext_confcom/lib/policy.py (or ensure that it is implemented for `containers from_image`), as eventually the old command will invoke that. From 53bf34b0943514a6dc3e63943c2d299d36092768 Mon Sep 17 00:00:00 2001 From: Tingmao Wang Date: Tue, 14 Apr 2026 10:21:34 +0100 Subject: [PATCH 19/21] Update all sample policies to the new api version and add the rw_mount_device enforcement point This fixes unit tests --- src/confcom/azext_confcom/README.md | 3 ++- .../docs/policy_enforcement_points.md | 3 ++- .../azext_confcom/lib/serialization.py | 1 + src/confcom/azext_confcom/sample_policy.md | 1 + src/confcom/samples/aci/command/policy.rego | 3 ++- .../samples/aci/command/policy_debug.rego | 3 ++- .../aci/command/policy_disable_stdio.rego | 3 ++- .../policy_exclude_default_fragment.rego | 3 ++- .../samples/aci/command/policy_fragment.rego | 3 ++- ...licy_fragment_plus_infrastructure_svn.rego | 3 ++- .../command/policy_infrastructure_svn.rego | 3 ++- .../aci/conflicting_variables/policy.rego | 3 ++- .../conflicting_variables/policy_debug.rego | 3 ++- .../policy_disable_stdio.rego | 3 ++- .../policy_exclude_default_fragment.rego | 3 ++- .../policy_fragment.rego | 3 ++- ...licy_fragment_plus_infrastructure_svn.rego | 3 ++- .../policy_infrastructure_svn.rego | 3 ++- .../aci/container_group_profiles/policy.rego | 3 ++- .../policy_debug.rego | 3 ++- .../policy_disable_stdio.rego | 3 ++- .../policy_exclude_default_fragment.rego | 3 ++- .../policy_fragment.rego | 3 ++- ...licy_fragment_plus_infrastructure_svn.rego | 3 ++- .../policy_infrastructure_svn.rego | 3 ++- .../samples/aci/default_variables/policy.rego | 3 ++- .../aci/default_variables/policy_debug.rego | 3 ++- .../policy_disable_stdio.rego | 3 ++- .../policy_exclude_default_fragment.rego | 3 ++- .../default_variables/policy_fragment.rego | 3 ++- ...licy_fragment_plus_infrastructure_svn.rego | 3 ++- .../policy_infrastructure_svn.rego | 3 ++- .../default_variables_override/policy.rego | 3 ++- .../policy_debug.rego | 3 ++- .../policy_disable_stdio.rego | 3 ++- .../policy_exclude_default_fragment.rego | 3 ++- .../policy_fragment.rego | 3 ++- ...licy_fragment_plus_infrastructure_svn.rego | 3 ++- .../policy_infrastructure_svn.rego | 3 ++- .../aci/environment_variables/policy.rego | 3 ++- .../environment_variables/policy_debug.rego | 3 ++- .../policy_disable_stdio.rego | 3 ++- .../policy_exclude_default_fragment.rego | 3 ++- .../policy_fragment.rego | 3 ++- ...licy_fragment_plus_infrastructure_svn.rego | 3 ++- .../policy_infrastructure_svn.rego | 3 ++- .../samples/aci/existing_policy/policy.rego | 3 ++- .../aci/existing_policy/policy_debug.rego | 3 ++- .../existing_policy/policy_disable_stdio.rego | 3 ++- .../policy_exclude_default_fragment.rego | 3 ++- .../aci/existing_policy/policy_fragment.rego | 3 ++- ...licy_fragment_plus_infrastructure_svn.rego | 3 ++- .../policy_infrastructure_svn.rego | 3 ++- .../aci/existing_policy_allow_all/policy.rego | 3 ++- .../policy_debug.rego | 3 ++- .../policy_disable_stdio.rego | 3 ++- .../policy_exclude_default_fragment.rego | 3 ++- .../policy_fragment.rego | 3 ++- ...licy_fragment_plus_infrastructure_svn.rego | 3 ++- .../policy_infrastructure_svn.rego | 3 ++- src/confcom/samples/aci/minimal/policy.rego | 3 ++- .../samples/aci/minimal/policy_debug.rego | 3 ++- .../aci/minimal/policy_disable_stdio.rego | 3 ++- .../policy_exclude_default_fragment.rego | 3 ++- .../samples/aci/minimal/policy_fragment.rego | 3 ++- ...licy_fragment_plus_infrastructure_svn.rego | 3 ++- .../minimal/policy_infrastructure_svn.rego | 3 ++- .../aci/multi_container_groups/policy.rego | 6 ++++-- .../multi_container_groups/policy_debug.rego | 6 ++++-- .../policy_disable_stdio.rego | 6 ++++-- .../policy_exclude_default_fragment.rego | 6 ++++-- ...licy_fragment_plus_infrastructure_svn.rego | 6 ++++-- .../policy_infrastructure_svn.rego | 6 ++++-- .../samples/aci/multi_containers/policy.rego | 3 ++- .../aci/multi_containers/policy_debug.rego | 3 ++- .../policy_disable_stdio.rego | 3 ++- .../policy_exclude_default_fragment.rego | 3 ++- .../aci/multi_containers/policy_fragment.rego | 3 ++- ...licy_fragment_plus_infrastructure_svn.rego | 3 ++- .../policy_infrastructure_svn.rego | 3 ++- .../policy.rego | 3 ++- .../policy_debug.rego | 3 ++- .../policy_disable_stdio.rego | 3 ++- .../policy_exclude_default_fragment.rego | 3 ++- .../policy_fragment.rego | 3 ++- ...licy_fragment_plus_infrastructure_svn.rego | 3 ++- .../policy_infrastructure_svn.rego | 3 ++- .../policy.rego | 3 ++- .../policy_debug.rego | 3 ++- .../policy_disable_stdio.rego | 3 ++- .../policy_exclude_default_fragment.rego | 3 ++- .../policy_fragment.rego | 3 ++- ...licy_fragment_plus_infrastructure_svn.rego | 3 ++- .../policy_infrastructure_svn.rego | 3 ++- .../policy.rego | 3 ++- .../policy_debug.rego | 3 ++- .../policy_disable_stdio.rego | 3 ++- .../policy_exclude_default_fragment.rego | 3 ++- .../policy_fragment.rego | 3 ++- ...licy_fragment_plus_infrastructure_svn.rego | 3 ++- .../policy_infrastructure_svn.rego | 3 ++- .../security_context_run_as_group/policy.rego | 3 ++- .../policy_debug.rego | 3 ++- .../policy_disable_stdio.rego | 3 ++- .../policy_exclude_default_fragment.rego | 3 ++- .../policy_fragment.rego | 3 ++- ...licy_fragment_plus_infrastructure_svn.rego | 3 ++- .../policy_infrastructure_svn.rego | 3 ++- .../security_context_run_as_user/policy.rego | 3 ++- .../policy_debug.rego | 3 ++- .../policy_disable_stdio.rego | 3 ++- .../policy_exclude_default_fragment.rego | 3 ++- .../policy_fragment.rego | 3 ++- ...licy_fragment_plus_infrastructure_svn.rego | 3 ++- .../policy_infrastructure_svn.rego | 3 ++- src/confcom/samples/aci/variables/policy.rego | 3 ++- .../samples/aci/variables/policy_debug.rego | 3 ++- .../aci/variables/policy_disable_stdio.rego | 3 ++- .../policy_exclude_default_fragment.rego | 3 ++- .../aci/variables/policy_fragment.rego | 3 ++- ...licy_fragment_plus_infrastructure_svn.rego | 3 ++- .../variables/policy_infrastructure_svn.rego | 3 ++- .../aci/volume_mount_secret/policy.rego | 3 ++- .../aci/volume_mount_secret/policy_debug.rego | 3 ++- .../policy_disable_stdio.rego | 3 ++- .../policy_exclude_default_fragment.rego | 3 ++- .../volume_mount_secret/policy_fragment.rego | 3 ++- ...licy_fragment_plus_infrastructure_svn.rego | 3 ++- .../policy_infrastructure_svn.rego | 3 ++- .../samples/aci/volume_mounts/policy.rego | 3 ++- .../aci/volume_mounts/policy_debug.rego | 3 ++- .../volume_mounts/policy_disable_stdio.rego | 3 ++- .../policy_exclude_default_fragment.rego | 3 ++- .../aci/volume_mounts/policy_fragment.rego | 3 ++- ...licy_fragment_plus_infrastructure_svn.rego | 3 ++- .../policy_infrastructure_svn.rego | 3 ++- src/confcom/samples/policies/allow_all.rego | 2 +- src/confcom/samples/sample-policy-output.rego | Bin 17004 -> 17106 bytes .../vn2/basic_command_args/policy.rego | 3 ++- .../vn2/configmap_secret_env/policy.rego | 3 ++- .../samples/vn2/fieldref_env/policy.rego | 3 ++- .../vn2/init_and_lifecycle/policy.rego | 3 ++- .../samples/vn2/multi_container/policy.rego | 3 ++- .../vn2/privileged_container/policy.rego | 3 ++- .../samples/vn2/read_only_mounts/policy.rego | 3 ++- .../vn2/resourcefieldref_env/policy.rego | 3 ++- .../samples/vn2/seccomp_profile/policy.rego | 3 ++- .../vn2/security_context_merge/policy.rego | 3 ++- src/confcom/samples/vn2/signals/policy.rego | 3 ++- .../samples/vn2/special_env_regex/policy.rego | 3 ++- .../vn2/volume_claim_templates/policy.rego | 3 ++- .../samples/vn2/workload_identity/policy.rego | 3 ++- 152 files changed, 311 insertions(+), 155 deletions(-) diff --git a/src/confcom/azext_confcom/README.md b/src/confcom/azext_confcom/README.md index eb4c33725fb..aa132e91880 100644 --- a/src/confcom/azext_confcom/README.md +++ b/src/confcom/azext_confcom/README.md @@ -399,7 +399,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.1.0" fragments := [...] @@ -432,6 +432,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} ``` diff --git a/src/confcom/azext_confcom/docs/policy_enforcement_points.md b/src/confcom/azext_confcom/docs/policy_enforcement_points.md index 9ce26f93b4a..52195b8717b 100644 --- a/src/confcom/azext_confcom/docs/policy_enforcement_points.md +++ b/src/confcom/azext_confcom/docs/policy_enforcement_points.md @@ -38,7 +38,7 @@ package mypolicy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.1.0" fragments := [...] @@ -71,6 +71,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} ``` diff --git a/src/confcom/azext_confcom/lib/serialization.py b/src/confcom/azext_confcom/lib/serialization.py index 7702bfef8ba..7e41cff884b 100644 --- a/src/confcom/azext_confcom/lib/serialization.py +++ b/src/confcom/azext_confcom/lib/serialization.py @@ -53,6 +53,7 @@ def policy_serialize(policy: Union[Policy, Fragment]): load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {{"errors": data.framework.errors}} """) diff --git a/src/confcom/azext_confcom/sample_policy.md b/src/confcom/azext_confcom/sample_policy.md index a2d9c6032e8..79001b4a6ab 100644 --- a/src/confcom/azext_confcom/sample_policy.md +++ b/src/confcom/azext_confcom/sample_policy.md @@ -103,6 +103,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/command/policy.rego b/src/confcom/samples/aci/command/policy.rego index 0a8288ed727..5458cc68fa0 100644 --- a/src/confcom/samples/aci/command/policy.rego +++ b/src/confcom/samples/aci/command/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/command/policy_debug.rego b/src/confcom/samples/aci/command/policy_debug.rego index 5726d4f6d31..e2fd4241d36 100644 --- a/src/confcom/samples/aci/command/policy_debug.rego +++ b/src/confcom/samples/aci/command/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/command/policy_disable_stdio.rego b/src/confcom/samples/aci/command/policy_disable_stdio.rego index c93faa1ea15..2bef0422b25 100644 --- a/src/confcom/samples/aci/command/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/command/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/command/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/command/policy_exclude_default_fragment.rego index ec1dd9acf8a..5dc73e916c6 100644 --- a/src/confcom/samples/aci/command/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/command/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/command/policy_fragment.rego b/src/confcom/samples/aci/command/policy_fragment.rego index 70e92051fb0..dcf751eabb8 100644 --- a/src/confcom/samples/aci/command/policy_fragment.rego +++ b/src/confcom/samples/aci/command/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/command/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/command/policy_fragment_plus_infrastructure_svn.rego index 38f5330d1e4..7c5d4ff3b9b 100644 --- a/src/confcom/samples/aci/command/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/command/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/command/policy_infrastructure_svn.rego b/src/confcom/samples/aci/command/policy_infrastructure_svn.rego index a465b27eba7..e0b8b03ef0e 100644 --- a/src/confcom/samples/aci/command/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/command/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/conflicting_variables/policy.rego b/src/confcom/samples/aci/conflicting_variables/policy.rego index 2564d1f4d7d..e501b01cee8 100644 --- a/src/confcom/samples/aci/conflicting_variables/policy.rego +++ b/src/confcom/samples/aci/conflicting_variables/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/conflicting_variables/policy_debug.rego b/src/confcom/samples/aci/conflicting_variables/policy_debug.rego index 37ecc10f214..b0526f3f5ad 100644 --- a/src/confcom/samples/aci/conflicting_variables/policy_debug.rego +++ b/src/confcom/samples/aci/conflicting_variables/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/conflicting_variables/policy_disable_stdio.rego b/src/confcom/samples/aci/conflicting_variables/policy_disable_stdio.rego index 9177bee6ae8..293f2bf6064 100644 --- a/src/confcom/samples/aci/conflicting_variables/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/conflicting_variables/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/conflicting_variables/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/conflicting_variables/policy_exclude_default_fragment.rego index 292d288f836..d2d5b3e8185 100644 --- a/src/confcom/samples/aci/conflicting_variables/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/conflicting_variables/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/conflicting_variables/policy_fragment.rego b/src/confcom/samples/aci/conflicting_variables/policy_fragment.rego index da895107e92..dd7e5decea5 100644 --- a/src/confcom/samples/aci/conflicting_variables/policy_fragment.rego +++ b/src/confcom/samples/aci/conflicting_variables/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/conflicting_variables/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/conflicting_variables/policy_fragment_plus_infrastructure_svn.rego index 5d2305ae9a2..4db0d2a66e9 100644 --- a/src/confcom/samples/aci/conflicting_variables/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/conflicting_variables/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/conflicting_variables/policy_infrastructure_svn.rego b/src/confcom/samples/aci/conflicting_variables/policy_infrastructure_svn.rego index 8c07f4ee697..597926c4ce3 100644 --- a/src/confcom/samples/aci/conflicting_variables/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/conflicting_variables/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/container_group_profiles/policy.rego b/src/confcom/samples/aci/container_group_profiles/policy.rego index 721ef3581f3..21412c6ea52 100644 --- a/src/confcom/samples/aci/container_group_profiles/policy.rego +++ b/src/confcom/samples/aci/container_group_profiles/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/container_group_profiles/policy_debug.rego b/src/confcom/samples/aci/container_group_profiles/policy_debug.rego index f33fa7b46c8..50f08260507 100644 --- a/src/confcom/samples/aci/container_group_profiles/policy_debug.rego +++ b/src/confcom/samples/aci/container_group_profiles/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/container_group_profiles/policy_disable_stdio.rego b/src/confcom/samples/aci/container_group_profiles/policy_disable_stdio.rego index d4f5c46ce0c..e31e27260df 100644 --- a/src/confcom/samples/aci/container_group_profiles/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/container_group_profiles/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/container_group_profiles/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/container_group_profiles/policy_exclude_default_fragment.rego index 45eb05085e0..4b249bacdea 100644 --- a/src/confcom/samples/aci/container_group_profiles/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/container_group_profiles/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/container_group_profiles/policy_fragment.rego b/src/confcom/samples/aci/container_group_profiles/policy_fragment.rego index d9ea7a4f5a6..301ffa0972f 100644 --- a/src/confcom/samples/aci/container_group_profiles/policy_fragment.rego +++ b/src/confcom/samples/aci/container_group_profiles/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/container_group_profiles/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/container_group_profiles/policy_fragment_plus_infrastructure_svn.rego index 04642ec19de..a0b480a645a 100644 --- a/src/confcom/samples/aci/container_group_profiles/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/container_group_profiles/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/container_group_profiles/policy_infrastructure_svn.rego b/src/confcom/samples/aci/container_group_profiles/policy_infrastructure_svn.rego index 50a2f1e8e22..7fca73ff0dd 100644 --- a/src/confcom/samples/aci/container_group_profiles/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/container_group_profiles/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables/policy.rego b/src/confcom/samples/aci/default_variables/policy.rego index 721ef3581f3..21412c6ea52 100644 --- a/src/confcom/samples/aci/default_variables/policy.rego +++ b/src/confcom/samples/aci/default_variables/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables/policy_debug.rego b/src/confcom/samples/aci/default_variables/policy_debug.rego index f33fa7b46c8..50f08260507 100644 --- a/src/confcom/samples/aci/default_variables/policy_debug.rego +++ b/src/confcom/samples/aci/default_variables/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables/policy_disable_stdio.rego b/src/confcom/samples/aci/default_variables/policy_disable_stdio.rego index d4f5c46ce0c..e31e27260df 100644 --- a/src/confcom/samples/aci/default_variables/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/default_variables/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/default_variables/policy_exclude_default_fragment.rego index 45eb05085e0..4b249bacdea 100644 --- a/src/confcom/samples/aci/default_variables/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/default_variables/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables/policy_fragment.rego b/src/confcom/samples/aci/default_variables/policy_fragment.rego index d9ea7a4f5a6..301ffa0972f 100644 --- a/src/confcom/samples/aci/default_variables/policy_fragment.rego +++ b/src/confcom/samples/aci/default_variables/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/default_variables/policy_fragment_plus_infrastructure_svn.rego index 04642ec19de..a0b480a645a 100644 --- a/src/confcom/samples/aci/default_variables/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/default_variables/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables/policy_infrastructure_svn.rego b/src/confcom/samples/aci/default_variables/policy_infrastructure_svn.rego index 50a2f1e8e22..7fca73ff0dd 100644 --- a/src/confcom/samples/aci/default_variables/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/default_variables/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables_override/policy.rego b/src/confcom/samples/aci/default_variables_override/policy.rego index 2564d1f4d7d..e501b01cee8 100644 --- a/src/confcom/samples/aci/default_variables_override/policy.rego +++ b/src/confcom/samples/aci/default_variables_override/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables_override/policy_debug.rego b/src/confcom/samples/aci/default_variables_override/policy_debug.rego index 37ecc10f214..b0526f3f5ad 100644 --- a/src/confcom/samples/aci/default_variables_override/policy_debug.rego +++ b/src/confcom/samples/aci/default_variables_override/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables_override/policy_disable_stdio.rego b/src/confcom/samples/aci/default_variables_override/policy_disable_stdio.rego index 9177bee6ae8..293f2bf6064 100644 --- a/src/confcom/samples/aci/default_variables_override/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/default_variables_override/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables_override/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/default_variables_override/policy_exclude_default_fragment.rego index 292d288f836..d2d5b3e8185 100644 --- a/src/confcom/samples/aci/default_variables_override/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/default_variables_override/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables_override/policy_fragment.rego b/src/confcom/samples/aci/default_variables_override/policy_fragment.rego index da895107e92..dd7e5decea5 100644 --- a/src/confcom/samples/aci/default_variables_override/policy_fragment.rego +++ b/src/confcom/samples/aci/default_variables_override/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables_override/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/default_variables_override/policy_fragment_plus_infrastructure_svn.rego index 5d2305ae9a2..4db0d2a66e9 100644 --- a/src/confcom/samples/aci/default_variables_override/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/default_variables_override/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/default_variables_override/policy_infrastructure_svn.rego b/src/confcom/samples/aci/default_variables_override/policy_infrastructure_svn.rego index 8c07f4ee697..597926c4ce3 100644 --- a/src/confcom/samples/aci/default_variables_override/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/default_variables_override/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/environment_variables/policy.rego b/src/confcom/samples/aci/environment_variables/policy.rego index 6966ac35d00..1f153ed257e 100644 --- a/src/confcom/samples/aci/environment_variables/policy.rego +++ b/src/confcom/samples/aci/environment_variables/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/environment_variables/policy_debug.rego b/src/confcom/samples/aci/environment_variables/policy_debug.rego index 79a435f36ef..fcbfbcd4165 100644 --- a/src/confcom/samples/aci/environment_variables/policy_debug.rego +++ b/src/confcom/samples/aci/environment_variables/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/environment_variables/policy_disable_stdio.rego b/src/confcom/samples/aci/environment_variables/policy_disable_stdio.rego index 1b3bf3399eb..c3c7d5d6d98 100644 --- a/src/confcom/samples/aci/environment_variables/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/environment_variables/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/environment_variables/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/environment_variables/policy_exclude_default_fragment.rego index 0582ec2f8b7..613f9afcb71 100644 --- a/src/confcom/samples/aci/environment_variables/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/environment_variables/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/environment_variables/policy_fragment.rego b/src/confcom/samples/aci/environment_variables/policy_fragment.rego index f3c958b6d44..0a0eb4c839b 100644 --- a/src/confcom/samples/aci/environment_variables/policy_fragment.rego +++ b/src/confcom/samples/aci/environment_variables/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/environment_variables/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/environment_variables/policy_fragment_plus_infrastructure_svn.rego index e2c54c52975..c3540fb6c95 100644 --- a/src/confcom/samples/aci/environment_variables/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/environment_variables/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/environment_variables/policy_infrastructure_svn.rego b/src/confcom/samples/aci/environment_variables/policy_infrastructure_svn.rego index 5c5771f5e79..bfa4e9804b5 100644 --- a/src/confcom/samples/aci/environment_variables/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/environment_variables/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy/policy.rego b/src/confcom/samples/aci/existing_policy/policy.rego index 721ef3581f3..21412c6ea52 100644 --- a/src/confcom/samples/aci/existing_policy/policy.rego +++ b/src/confcom/samples/aci/existing_policy/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy/policy_debug.rego b/src/confcom/samples/aci/existing_policy/policy_debug.rego index f33fa7b46c8..50f08260507 100644 --- a/src/confcom/samples/aci/existing_policy/policy_debug.rego +++ b/src/confcom/samples/aci/existing_policy/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy/policy_disable_stdio.rego b/src/confcom/samples/aci/existing_policy/policy_disable_stdio.rego index d4f5c46ce0c..e31e27260df 100644 --- a/src/confcom/samples/aci/existing_policy/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/existing_policy/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/existing_policy/policy_exclude_default_fragment.rego index 45eb05085e0..4b249bacdea 100644 --- a/src/confcom/samples/aci/existing_policy/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/existing_policy/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy/policy_fragment.rego b/src/confcom/samples/aci/existing_policy/policy_fragment.rego index d9ea7a4f5a6..301ffa0972f 100644 --- a/src/confcom/samples/aci/existing_policy/policy_fragment.rego +++ b/src/confcom/samples/aci/existing_policy/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/existing_policy/policy_fragment_plus_infrastructure_svn.rego index 04642ec19de..a0b480a645a 100644 --- a/src/confcom/samples/aci/existing_policy/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/existing_policy/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy/policy_infrastructure_svn.rego b/src/confcom/samples/aci/existing_policy/policy_infrastructure_svn.rego index 50a2f1e8e22..7fca73ff0dd 100644 --- a/src/confcom/samples/aci/existing_policy/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/existing_policy/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy_allow_all/policy.rego b/src/confcom/samples/aci/existing_policy_allow_all/policy.rego index 721ef3581f3..21412c6ea52 100644 --- a/src/confcom/samples/aci/existing_policy_allow_all/policy.rego +++ b/src/confcom/samples/aci/existing_policy_allow_all/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy_allow_all/policy_debug.rego b/src/confcom/samples/aci/existing_policy_allow_all/policy_debug.rego index f33fa7b46c8..50f08260507 100644 --- a/src/confcom/samples/aci/existing_policy_allow_all/policy_debug.rego +++ b/src/confcom/samples/aci/existing_policy_allow_all/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy_allow_all/policy_disable_stdio.rego b/src/confcom/samples/aci/existing_policy_allow_all/policy_disable_stdio.rego index d4f5c46ce0c..e31e27260df 100644 --- a/src/confcom/samples/aci/existing_policy_allow_all/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/existing_policy_allow_all/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy_allow_all/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/existing_policy_allow_all/policy_exclude_default_fragment.rego index 45eb05085e0..4b249bacdea 100644 --- a/src/confcom/samples/aci/existing_policy_allow_all/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/existing_policy_allow_all/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy_allow_all/policy_fragment.rego b/src/confcom/samples/aci/existing_policy_allow_all/policy_fragment.rego index d9ea7a4f5a6..301ffa0972f 100644 --- a/src/confcom/samples/aci/existing_policy_allow_all/policy_fragment.rego +++ b/src/confcom/samples/aci/existing_policy_allow_all/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy_allow_all/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/existing_policy_allow_all/policy_fragment_plus_infrastructure_svn.rego index 04642ec19de..a0b480a645a 100644 --- a/src/confcom/samples/aci/existing_policy_allow_all/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/existing_policy_allow_all/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/existing_policy_allow_all/policy_infrastructure_svn.rego b/src/confcom/samples/aci/existing_policy_allow_all/policy_infrastructure_svn.rego index 50a2f1e8e22..7fca73ff0dd 100644 --- a/src/confcom/samples/aci/existing_policy_allow_all/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/existing_policy_allow_all/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/minimal/policy.rego b/src/confcom/samples/aci/minimal/policy.rego index 721ef3581f3..21412c6ea52 100644 --- a/src/confcom/samples/aci/minimal/policy.rego +++ b/src/confcom/samples/aci/minimal/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/minimal/policy_debug.rego b/src/confcom/samples/aci/minimal/policy_debug.rego index f33fa7b46c8..50f08260507 100644 --- a/src/confcom/samples/aci/minimal/policy_debug.rego +++ b/src/confcom/samples/aci/minimal/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/minimal/policy_disable_stdio.rego b/src/confcom/samples/aci/minimal/policy_disable_stdio.rego index d4f5c46ce0c..e31e27260df 100644 --- a/src/confcom/samples/aci/minimal/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/minimal/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/minimal/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/minimal/policy_exclude_default_fragment.rego index 45eb05085e0..4b249bacdea 100644 --- a/src/confcom/samples/aci/minimal/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/minimal/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/minimal/policy_fragment.rego b/src/confcom/samples/aci/minimal/policy_fragment.rego index d9ea7a4f5a6..301ffa0972f 100644 --- a/src/confcom/samples/aci/minimal/policy_fragment.rego +++ b/src/confcom/samples/aci/minimal/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/minimal/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/minimal/policy_fragment_plus_infrastructure_svn.rego index 04642ec19de..a0b480a645a 100644 --- a/src/confcom/samples/aci/minimal/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/minimal/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/minimal/policy_infrastructure_svn.rego b/src/confcom/samples/aci/minimal/policy_infrastructure_svn.rego index 50a2f1e8e22..7fca73ff0dd 100644 --- a/src/confcom/samples/aci/minimal/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/minimal/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/multi_container_groups/policy.rego b/src/confcom/samples/aci/multi_container_groups/policy.rego index 67de04a0285..b7f1e64d3cc 100644 --- a/src/confcom/samples/aci/multi_container_groups/policy.rego +++ b/src/confcom/samples/aci/multi_container_groups/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} @@ -53,7 +54,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -94,6 +95,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/multi_container_groups/policy_debug.rego b/src/confcom/samples/aci/multi_container_groups/policy_debug.rego index 7ddb75b3742..5b5785dd530 100644 --- a/src/confcom/samples/aci/multi_container_groups/policy_debug.rego +++ b/src/confcom/samples/aci/multi_container_groups/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} @@ -53,7 +54,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -94,6 +95,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/multi_container_groups/policy_disable_stdio.rego b/src/confcom/samples/aci/multi_container_groups/policy_disable_stdio.rego index c7e0650713b..f0be599e6f3 100644 --- a/src/confcom/samples/aci/multi_container_groups/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/multi_container_groups/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} @@ -53,7 +54,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -94,6 +95,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/multi_container_groups/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/multi_container_groups/policy_exclude_default_fragment.rego index 32fd29e3336..f0400d3787b 100644 --- a/src/confcom/samples/aci/multi_container_groups/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/multi_container_groups/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} @@ -43,7 +44,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -74,6 +75,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/multi_container_groups/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/multi_container_groups/policy_fragment_plus_infrastructure_svn.rego index bcc5f638768..5a30c600142 100644 --- a/src/confcom/samples/aci/multi_container_groups/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/multi_container_groups/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} @@ -62,7 +63,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -103,6 +104,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/multi_container_groups/policy_infrastructure_svn.rego b/src/confcom/samples/aci/multi_container_groups/policy_infrastructure_svn.rego index 1aa2ad14c23..7ce66ecc801 100644 --- a/src/confcom/samples/aci/multi_container_groups/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/multi_container_groups/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} @@ -53,7 +54,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -94,6 +95,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/multi_containers/policy.rego b/src/confcom/samples/aci/multi_containers/policy.rego index e9ea916e0a8..0c7a66163f2 100644 --- a/src/confcom/samples/aci/multi_containers/policy.rego +++ b/src/confcom/samples/aci/multi_containers/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/multi_containers/policy_debug.rego b/src/confcom/samples/aci/multi_containers/policy_debug.rego index 36217c9ac09..420880febae 100644 --- a/src/confcom/samples/aci/multi_containers/policy_debug.rego +++ b/src/confcom/samples/aci/multi_containers/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/multi_containers/policy_disable_stdio.rego b/src/confcom/samples/aci/multi_containers/policy_disable_stdio.rego index 19c2177c1ce..b3738f06aee 100644 --- a/src/confcom/samples/aci/multi_containers/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/multi_containers/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/multi_containers/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/multi_containers/policy_exclude_default_fragment.rego index fbddd782d71..eb04d2704b2 100644 --- a/src/confcom/samples/aci/multi_containers/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/multi_containers/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/multi_containers/policy_fragment.rego b/src/confcom/samples/aci/multi_containers/policy_fragment.rego index e1d6b484c42..2cdb596e63f 100644 --- a/src/confcom/samples/aci/multi_containers/policy_fragment.rego +++ b/src/confcom/samples/aci/multi_containers/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/multi_containers/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/multi_containers/policy_fragment_plus_infrastructure_svn.rego index 3965d5eac5e..47e9d18e546 100644 --- a/src/confcom/samples/aci/multi_containers/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/multi_containers/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/multi_containers/policy_infrastructure_svn.rego b/src/confcom/samples/aci/multi_containers/policy_infrastructure_svn.rego index 4486204c204..2b189640808 100644 --- a/src/confcom/samples/aci/multi_containers/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/multi_containers/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add/policy.rego b/src/confcom/samples/aci/security_context_capabilities_add/policy.rego index e17f515f228..8436ca3cd2a 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add/policy.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add/policy_debug.rego b/src/confcom/samples/aci/security_context_capabilities_add/policy_debug.rego index be2655f5834..c9558c91aec 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add/policy_debug.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add/policy_disable_stdio.rego b/src/confcom/samples/aci/security_context_capabilities_add/policy_disable_stdio.rego index a5188b24c04..cb795ea8edc 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/security_context_capabilities_add/policy_exclude_default_fragment.rego index 043e9959354..509e2273696 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add/policy_fragment.rego b/src/confcom/samples/aci/security_context_capabilities_add/policy_fragment.rego index 38027274a76..81c9ab609ae 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add/policy_fragment.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/security_context_capabilities_add/policy_fragment_plus_infrastructure_svn.rego index 1ff9e9c9ec6..0ff47fc21e4 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add/policy_infrastructure_svn.rego b/src/confcom/samples/aci/security_context_capabilities_add/policy_infrastructure_svn.rego index e379d8e23b7..a0df6d7664f 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy.rego b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy.rego index db0eb992c57..5d6be1de831 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_debug.rego b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_debug.rego index cbfd9699780..6ae3b72378c 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_debug.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_disable_stdio.rego b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_disable_stdio.rego index 285be86a07d..238acfe3606 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_exclude_default_fragment.rego index 26f34bf1b3b..456c930d07a 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_fragment.rego b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_fragment.rego index 27ccf902d93..1ba40238b9a 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_fragment.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_fragment_plus_infrastructure_svn.rego index 249001d4245..3e157bca9a8 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_infrastructure_svn.rego b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_infrastructure_svn.rego index 1676fad3709..131d29a2a0d 100644 --- a/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/security_context_capabilities_add_drop/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_drop/policy.rego b/src/confcom/samples/aci/security_context_capabilities_drop/policy.rego index c9e88f85555..4c8901e8742 100644 --- a/src/confcom/samples/aci/security_context_capabilities_drop/policy.rego +++ b/src/confcom/samples/aci/security_context_capabilities_drop/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_drop/policy_debug.rego b/src/confcom/samples/aci/security_context_capabilities_drop/policy_debug.rego index bd1c6052a14..d7c303dad28 100644 --- a/src/confcom/samples/aci/security_context_capabilities_drop/policy_debug.rego +++ b/src/confcom/samples/aci/security_context_capabilities_drop/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_drop/policy_disable_stdio.rego b/src/confcom/samples/aci/security_context_capabilities_drop/policy_disable_stdio.rego index 34425ff5777..0ad603292d3 100644 --- a/src/confcom/samples/aci/security_context_capabilities_drop/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/security_context_capabilities_drop/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_drop/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/security_context_capabilities_drop/policy_exclude_default_fragment.rego index 0ea9ef76af4..e444c0d3310 100644 --- a/src/confcom/samples/aci/security_context_capabilities_drop/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/security_context_capabilities_drop/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_drop/policy_fragment.rego b/src/confcom/samples/aci/security_context_capabilities_drop/policy_fragment.rego index 580ae543b37..df284d7cde4 100644 --- a/src/confcom/samples/aci/security_context_capabilities_drop/policy_fragment.rego +++ b/src/confcom/samples/aci/security_context_capabilities_drop/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_drop/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/security_context_capabilities_drop/policy_fragment_plus_infrastructure_svn.rego index 0b993218415..49c1b7580a6 100644 --- a/src/confcom/samples/aci/security_context_capabilities_drop/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/security_context_capabilities_drop/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_capabilities_drop/policy_infrastructure_svn.rego b/src/confcom/samples/aci/security_context_capabilities_drop/policy_infrastructure_svn.rego index 26c2ff93c1e..b893b1a1c42 100644 --- a/src/confcom/samples/aci/security_context_capabilities_drop/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/security_context_capabilities_drop/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_group/policy.rego b/src/confcom/samples/aci/security_context_run_as_group/policy.rego index 93f30fa1e74..691be96db02 100644 --- a/src/confcom/samples/aci/security_context_run_as_group/policy.rego +++ b/src/confcom/samples/aci/security_context_run_as_group/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_group/policy_debug.rego b/src/confcom/samples/aci/security_context_run_as_group/policy_debug.rego index 9a618bafc91..128b9782018 100644 --- a/src/confcom/samples/aci/security_context_run_as_group/policy_debug.rego +++ b/src/confcom/samples/aci/security_context_run_as_group/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_group/policy_disable_stdio.rego b/src/confcom/samples/aci/security_context_run_as_group/policy_disable_stdio.rego index 23fac5e69db..35ae6f34217 100644 --- a/src/confcom/samples/aci/security_context_run_as_group/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/security_context_run_as_group/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_group/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/security_context_run_as_group/policy_exclude_default_fragment.rego index 39446b7c586..067f2f6c175 100644 --- a/src/confcom/samples/aci/security_context_run_as_group/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/security_context_run_as_group/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_group/policy_fragment.rego b/src/confcom/samples/aci/security_context_run_as_group/policy_fragment.rego index 43322bb43ac..b7c1a3febe0 100644 --- a/src/confcom/samples/aci/security_context_run_as_group/policy_fragment.rego +++ b/src/confcom/samples/aci/security_context_run_as_group/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_group/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/security_context_run_as_group/policy_fragment_plus_infrastructure_svn.rego index 3a94a9e1816..cc8cffa6d1e 100644 --- a/src/confcom/samples/aci/security_context_run_as_group/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/security_context_run_as_group/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_group/policy_infrastructure_svn.rego b/src/confcom/samples/aci/security_context_run_as_group/policy_infrastructure_svn.rego index f08ba39228b..5357a5f5020 100644 --- a/src/confcom/samples/aci/security_context_run_as_group/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/security_context_run_as_group/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_user/policy.rego b/src/confcom/samples/aci/security_context_run_as_user/policy.rego index e16fb4563d0..fb511fecd82 100644 --- a/src/confcom/samples/aci/security_context_run_as_user/policy.rego +++ b/src/confcom/samples/aci/security_context_run_as_user/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_user/policy_debug.rego b/src/confcom/samples/aci/security_context_run_as_user/policy_debug.rego index 6e31e8f99ef..02f5ad5cfd0 100644 --- a/src/confcom/samples/aci/security_context_run_as_user/policy_debug.rego +++ b/src/confcom/samples/aci/security_context_run_as_user/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_user/policy_disable_stdio.rego b/src/confcom/samples/aci/security_context_run_as_user/policy_disable_stdio.rego index 28c1efee0c1..004bb814ecb 100644 --- a/src/confcom/samples/aci/security_context_run_as_user/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/security_context_run_as_user/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_user/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/security_context_run_as_user/policy_exclude_default_fragment.rego index fa985532527..59b11e97ba8 100644 --- a/src/confcom/samples/aci/security_context_run_as_user/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/security_context_run_as_user/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_user/policy_fragment.rego b/src/confcom/samples/aci/security_context_run_as_user/policy_fragment.rego index e7098c289ce..3ac73b1aefb 100644 --- a/src/confcom/samples/aci/security_context_run_as_user/policy_fragment.rego +++ b/src/confcom/samples/aci/security_context_run_as_user/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_user/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/security_context_run_as_user/policy_fragment_plus_infrastructure_svn.rego index 103a6785acb..218d6af6e6b 100644 --- a/src/confcom/samples/aci/security_context_run_as_user/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/security_context_run_as_user/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/security_context_run_as_user/policy_infrastructure_svn.rego b/src/confcom/samples/aci/security_context_run_as_user/policy_infrastructure_svn.rego index 3a6ef775944..07a5f3a9895 100644 --- a/src/confcom/samples/aci/security_context_run_as_user/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/security_context_run_as_user/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/variables/policy.rego b/src/confcom/samples/aci/variables/policy.rego index 721ef3581f3..21412c6ea52 100644 --- a/src/confcom/samples/aci/variables/policy.rego +++ b/src/confcom/samples/aci/variables/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/variables/policy_debug.rego b/src/confcom/samples/aci/variables/policy_debug.rego index f33fa7b46c8..50f08260507 100644 --- a/src/confcom/samples/aci/variables/policy_debug.rego +++ b/src/confcom/samples/aci/variables/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/variables/policy_disable_stdio.rego b/src/confcom/samples/aci/variables/policy_disable_stdio.rego index d4f5c46ce0c..e31e27260df 100644 --- a/src/confcom/samples/aci/variables/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/variables/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/variables/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/variables/policy_exclude_default_fragment.rego index 45eb05085e0..4b249bacdea 100644 --- a/src/confcom/samples/aci/variables/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/variables/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/variables/policy_fragment.rego b/src/confcom/samples/aci/variables/policy_fragment.rego index d9ea7a4f5a6..301ffa0972f 100644 --- a/src/confcom/samples/aci/variables/policy_fragment.rego +++ b/src/confcom/samples/aci/variables/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/variables/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/variables/policy_fragment_plus_infrastructure_svn.rego index 04642ec19de..a0b480a645a 100644 --- a/src/confcom/samples/aci/variables/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/variables/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/variables/policy_infrastructure_svn.rego b/src/confcom/samples/aci/variables/policy_infrastructure_svn.rego index 50a2f1e8e22..7fca73ff0dd 100644 --- a/src/confcom/samples/aci/variables/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/variables/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mount_secret/policy.rego b/src/confcom/samples/aci/volume_mount_secret/policy.rego index b5a639bb912..c020e197dcb 100644 --- a/src/confcom/samples/aci/volume_mount_secret/policy.rego +++ b/src/confcom/samples/aci/volume_mount_secret/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mount_secret/policy_debug.rego b/src/confcom/samples/aci/volume_mount_secret/policy_debug.rego index 24215106d3f..9fa628f95b5 100644 --- a/src/confcom/samples/aci/volume_mount_secret/policy_debug.rego +++ b/src/confcom/samples/aci/volume_mount_secret/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mount_secret/policy_disable_stdio.rego b/src/confcom/samples/aci/volume_mount_secret/policy_disable_stdio.rego index 3f5ce0efda4..c31890df1a6 100644 --- a/src/confcom/samples/aci/volume_mount_secret/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/volume_mount_secret/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mount_secret/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/volume_mount_secret/policy_exclude_default_fragment.rego index 2a8c79a1d5a..983094135f2 100644 --- a/src/confcom/samples/aci/volume_mount_secret/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/volume_mount_secret/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mount_secret/policy_fragment.rego b/src/confcom/samples/aci/volume_mount_secret/policy_fragment.rego index bb5bf4e1743..55068234edf 100644 --- a/src/confcom/samples/aci/volume_mount_secret/policy_fragment.rego +++ b/src/confcom/samples/aci/volume_mount_secret/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mount_secret/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/volume_mount_secret/policy_fragment_plus_infrastructure_svn.rego index 1f8cb708fa8..9fec748e4b0 100644 --- a/src/confcom/samples/aci/volume_mount_secret/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/volume_mount_secret/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mount_secret/policy_infrastructure_svn.rego b/src/confcom/samples/aci/volume_mount_secret/policy_infrastructure_svn.rego index 29ffb26aee3..ba42aa2c23a 100644 --- a/src/confcom/samples/aci/volume_mount_secret/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/volume_mount_secret/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mounts/policy.rego b/src/confcom/samples/aci/volume_mounts/policy.rego index 273b195b4d9..a62cbc24e13 100644 --- a/src/confcom/samples/aci/volume_mounts/policy.rego +++ b/src/confcom/samples/aci/volume_mounts/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mounts/policy_debug.rego b/src/confcom/samples/aci/volume_mounts/policy_debug.rego index ebe8d8cff89..a86c8007074 100644 --- a/src/confcom/samples/aci/volume_mounts/policy_debug.rego +++ b/src/confcom/samples/aci/volume_mounts/policy_debug.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mounts/policy_disable_stdio.rego b/src/confcom/samples/aci/volume_mounts/policy_disable_stdio.rego index 71223a5d727..50c2543fe4b 100644 --- a/src/confcom/samples/aci/volume_mounts/policy_disable_stdio.rego +++ b/src/confcom/samples/aci/volume_mounts/policy_disable_stdio.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mounts/policy_exclude_default_fragment.rego b/src/confcom/samples/aci/volume_mounts/policy_exclude_default_fragment.rego index 40c79ea7359..40daa187696 100644 --- a/src/confcom/samples/aci/volume_mounts/policy_exclude_default_fragment.rego +++ b/src/confcom/samples/aci/volume_mounts/policy_exclude_default_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [] @@ -34,6 +34,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mounts/policy_fragment.rego b/src/confcom/samples/aci/volume_mounts/policy_fragment.rego index 80286bf873a..78dca65c36c 100644 --- a/src/confcom/samples/aci/volume_mounts/policy_fragment.rego +++ b/src/confcom/samples/aci/volume_mounts/policy_fragment.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mounts/policy_fragment_plus_infrastructure_svn.rego b/src/confcom/samples/aci/volume_mounts/policy_fragment_plus_infrastructure_svn.rego index f73bc72b9cd..08a6e871afa 100644 --- a/src/confcom/samples/aci/volume_mounts/policy_fragment_plus_infrastructure_svn.rego +++ b/src/confcom/samples/aci/volume_mounts/policy_fragment_plus_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -53,6 +53,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/aci/volume_mounts/policy_infrastructure_svn.rego b/src/confcom/samples/aci/volume_mounts/policy_infrastructure_svn.rego index caf93e6b04f..d15814f95d1 100644 --- a/src/confcom/samples/aci/volume_mounts/policy_infrastructure_svn.rego +++ b/src/confcom/samples/aci/volume_mounts/policy_infrastructure_svn.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -44,6 +44,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/policies/allow_all.rego b/src/confcom/samples/policies/allow_all.rego index cfa50f39e5e..a8a4a9d6916 100644 --- a/src/confcom/samples/policies/allow_all.rego +++ b/src/confcom/samples/policies/allow_all.rego @@ -1,6 +1,6 @@ package policy -api_version := "0.10.0" +api_version := "0.11.0" mount_device := {"allowed": true} mount_overlay := {"allowed": true} diff --git a/src/confcom/samples/sample-policy-output.rego b/src/confcom/samples/sample-policy-output.rego index 060e19d684577fa91be04e7b845016f093f412dc..0261d9c69fa1d37109edc3a155e6d5f5911ba752 100644 GIT binary patch delta 52 zcmaFU!g#5bal#>PLk2wt0|q4qUIwnog0{jNAE-I97BQ4F#7~a5wuiF*Tgy&nb4mjM Dj*Slt delta 32 ocmccA%J`;*al#>P0|q??0|q4qUIwnog0{jNAE-G_&T&cu0HU4=fdBvi diff --git a/src/confcom/samples/vn2/basic_command_args/policy.rego b/src/confcom/samples/vn2/basic_command_args/policy.rego index 836d9cdca23..0a98ec2aa07 100644 --- a/src/confcom/samples/vn2/basic_command_args/policy.rego +++ b/src/confcom/samples/vn2/basic_command_args/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -377,6 +377,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/vn2/configmap_secret_env/policy.rego b/src/confcom/samples/vn2/configmap_secret_env/policy.rego index 3c4ff5e9de8..96b1e11c011 100644 --- a/src/confcom/samples/vn2/configmap_secret_env/policy.rego +++ b/src/confcom/samples/vn2/configmap_secret_env/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -388,6 +388,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/vn2/fieldref_env/policy.rego b/src/confcom/samples/vn2/fieldref_env/policy.rego index ea59ff93085..6d786a7c94d 100644 --- a/src/confcom/samples/vn2/fieldref_env/policy.rego +++ b/src/confcom/samples/vn2/fieldref_env/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -373,6 +373,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/vn2/init_and_lifecycle/policy.rego b/src/confcom/samples/vn2/init_and_lifecycle/policy.rego index 1a28591eeb5..456cefc3958 100644 --- a/src/confcom/samples/vn2/init_and_lifecycle/policy.rego +++ b/src/confcom/samples/vn2/init_and_lifecycle/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -641,6 +641,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/vn2/multi_container/policy.rego b/src/confcom/samples/vn2/multi_container/policy.rego index 8defcef2dbf..0eaa1545bf4 100644 --- a/src/confcom/samples/vn2/multi_container/policy.rego +++ b/src/confcom/samples/vn2/multi_container/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -606,6 +606,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/vn2/privileged_container/policy.rego b/src/confcom/samples/vn2/privileged_container/policy.rego index 2463cffceeb..4e58d768e09 100644 --- a/src/confcom/samples/vn2/privileged_container/policy.rego +++ b/src/confcom/samples/vn2/privileged_container/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -511,6 +511,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/vn2/read_only_mounts/policy.rego b/src/confcom/samples/vn2/read_only_mounts/policy.rego index ae1c0fa9e80..97e45441e42 100644 --- a/src/confcom/samples/vn2/read_only_mounts/policy.rego +++ b/src/confcom/samples/vn2/read_only_mounts/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -388,6 +388,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/vn2/resourcefieldref_env/policy.rego b/src/confcom/samples/vn2/resourcefieldref_env/policy.rego index e616027f4ea..85335ff3366 100644 --- a/src/confcom/samples/vn2/resourcefieldref_env/policy.rego +++ b/src/confcom/samples/vn2/resourcefieldref_env/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -378,6 +378,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/vn2/seccomp_profile/policy.rego b/src/confcom/samples/vn2/seccomp_profile/policy.rego index aa2561c5174..6f134a716b5 100644 --- a/src/confcom/samples/vn2/seccomp_profile/policy.rego +++ b/src/confcom/samples/vn2/seccomp_profile/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -377,6 +377,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/vn2/security_context_merge/policy.rego b/src/confcom/samples/vn2/security_context_merge/policy.rego index fce047783cf..95604690b71 100644 --- a/src/confcom/samples/vn2/security_context_merge/policy.rego +++ b/src/confcom/samples/vn2/security_context_merge/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -368,6 +368,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/vn2/signals/policy.rego b/src/confcom/samples/vn2/signals/policy.rego index 9ad7c523839..892d06418bd 100644 --- a/src/confcom/samples/vn2/signals/policy.rego +++ b/src/confcom/samples/vn2/signals/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -383,6 +383,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/vn2/special_env_regex/policy.rego b/src/confcom/samples/vn2/special_env_regex/policy.rego index b35c8e8c9b7..7606a4a35d9 100644 --- a/src/confcom/samples/vn2/special_env_regex/policy.rego +++ b/src/confcom/samples/vn2/special_env_regex/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -378,6 +378,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/vn2/volume_claim_templates/policy.rego b/src/confcom/samples/vn2/volume_claim_templates/policy.rego index 07e15b4a62c..eb6f5fdb046 100644 --- a/src/confcom/samples/vn2/volume_claim_templates/policy.rego +++ b/src/confcom/samples/vn2/volume_claim_templates/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -378,6 +378,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} diff --git a/src/confcom/samples/vn2/workload_identity/policy.rego b/src/confcom/samples/vn2/workload_identity/policy.rego index 7b3bd75f50e..3152c3b497c 100644 --- a/src/confcom/samples/vn2/workload_identity/policy.rego +++ b/src/confcom/samples/vn2/workload_identity/policy.rego @@ -3,7 +3,7 @@ package policy import future.keywords.every import future.keywords.in -api_version := "0.10.0" +api_version := "0.11.0" framework_version := "0.2.3" fragments := [ @@ -398,6 +398,7 @@ runtime_logging := data.framework.runtime_logging load_fragment := data.framework.load_fragment scratch_mount := data.framework.scratch_mount scratch_unmount := data.framework.scratch_unmount +rw_mount_device := data.framework.rw_mount_device reason := {"errors": data.framework.errors} From c47d62ddf548cff97c2b7438a65fc34c028bb851 Mon Sep 17 00:00:00 2001 From: Tingmao Wang Date: Tue, 14 Apr 2026 11:03:37 +0100 Subject: [PATCH 20/21] Remove misleading comment This is not, in fact, where parameters and variables are populated. That happens in the constructor for AciPolicy. --- src/confcom/azext_confcom/custom.py | 1 - 1 file changed, 1 deletion(-) diff --git a/src/confcom/azext_confcom/custom.py b/src/confcom/azext_confcom/custom.py index dca86e5bc7b..0e6e03dcc20 100644 --- a/src/confcom/azext_confcom/custom.py +++ b/src/confcom/azext_confcom/custom.py @@ -193,7 +193,6 @@ def acipolicygen_confcom( policy.set_fragment_contents(fragment_policy_list) for count, policy in enumerate(container_group_policies): - # this is where parameters and variables are populated policy.populate_policy_content_for_all_images( individual_image=bool(image_name), tar_mapping=tar_mapping, faster_hashing=faster_hashing ) From 393e97d9551e31e0ec464b391f7dab6752190ed0 Mon Sep 17 00:00:00 2001 From: Tingmao Wang Date: Tue, 14 Apr 2026 11:10:45 +0100 Subject: [PATCH 21/21] [confcom] Fix trying to fetch image with a name containing unresolved parameters/variables --- src/confcom/azext_confcom/security_policy.py | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/src/confcom/azext_confcom/security_policy.py b/src/confcom/azext_confcom/security_policy.py index 4bea4f576c5..cc7341c123d 100644 --- a/src/confcom/azext_confcom/security_policy.py +++ b/src/confcom/azext_confcom/security_policy.py @@ -41,7 +41,8 @@ process_fragment_imports, process_mounts, process_mounts_from_config, - readable_diff) + readable_diff, + find_value_in_params_and_vars) from azext_confcom.lib.images import get_image_platform from azext_confcom.lib.defaults import get_debug_mode_exec_procs from knack.log import get_logger @@ -714,7 +715,8 @@ def load_policy_from_arm_template_str( get_values_for_params(input_parameter_json, all_params) AciPolicy.all_params = all_params - AciPolicy.all_vars = case_insensitive_dict_get(input_arm_json, config.ACI_FIELD_TEMPLATE_VARIABLES) or {} + all_vars = case_insensitive_dict_get(input_arm_json, config.ACI_FIELD_TEMPLATE_VARIABLES) or {} + AciPolicy.all_vars = all_vars container_groups = [] @@ -819,7 +821,12 @@ def load_policy_from_arm_template_str( # Use platform from template if specified, otherwise try to auto-detect from image platform = case_insensitive_dict_get(image_properties, "platform") if not platform: - platform = get_image_platform(image_name) + # By this point, we have not substituted any parameters or + # variables yet, but in order to get the image we have to know + # the final image name. So resolve it here temporarily (later + # on, the constructor of AciPolicy will resolve it again) + image_name_with_param_substituted = find_value_in_params_and_vars(all_params, all_vars, image_name) + platform = get_image_platform(image_name_with_param_substituted) containers.append( {