From 898f6183756b3692b24548100e3b3001c61512cf Mon Sep 17 00:00:00 2001 From: Gonzalo Reyero Ferreras <87083379+greyerof@users.noreply.github.com> Date: Fri, 20 Sep 2024 23:41:24 +0200 Subject: [PATCH] Fix for the SCC categories check. (#2460) Container's securityContext.readOnlyRootFilesystem field should only be checked if SCC.ReadOnlyRootFilesystem is true. Otherwise, it means it can have any value. --- .../securitycontextcontainer.go | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/tests/accesscontrol/securitycontextcontainer/securitycontextcontainer.go b/tests/accesscontrol/securitycontextcontainer/securitycontextcontainer.go index e96ae6c5d..bb3f6ee5b 100644 --- a/tests/accesscontrol/securitycontextcontainer/securitycontextcontainer.go +++ b/tests/accesscontrol/securitycontextcontainer/securitycontextcontainer.go @@ -493,10 +493,17 @@ func compareCategory(refCategory, containerSCC *ContainerSCC, id CategoryID) boo result = false log.Debug("PrivilegedContainer = %s but expected <= %s - NOK", containerSCC.PrivilegedContainer, refCategory.PrivilegedContainer) } - // ReadOnlyRootFilesystem is true if the ReadOnlyRootFilesystem field is set to true, false otherwise. - if refCategory.ReadOnlyRootFilesystem >= containerSCC.ReadOnlyRootFilesystem { - log.Debug("ReadOnlyRootFilesystem = %s - OK", containerSCC.ReadOnlyRootFilesystem) - } else { + + // From the SecurityContextConstraint CRD spec: + // description: ReadOnlyRootFilesystem when set to true will force containers + // to run with a read only root file system. If the container specifically + // requests to run with a non-read only root file system the SCC should + // deny the pod. If set to false the container may run with a read only + // root file system if it wishes but it will not be forced to. + // type: boolean + if refCategory.ReadOnlyRootFilesystem == NOK { + log.Debug("ReadOnlyRootFilesystem = %s - OK (not enforced by SCC)", containerSCC.ReadOnlyRootFilesystem) + } else if containerSCC.ReadOnlyRootFilesystem != OK { result = false log.Debug("ReadOnlyRootFilesystem = %s but expected <= %s - NOK", containerSCC.ReadOnlyRootFilesystem, refCategory.ReadOnlyRootFilesystem) }