Skip to content

Commit 94ccf27

Browse files
author
Manish Ranjan Mahanta
committed
sidecar-GCS changes to forward modifyServiceSettings
Signed-off-by: Manish Ranjan Mahanta <mmahanta@microsoft.com>
1 parent 6c230cb commit 94ccf27

3 files changed

Lines changed: 94 additions & 0 deletions

File tree

internal/gcs-sidecar/bridge.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -172,6 +172,7 @@ func (b *Bridge) AssignHandlers() {
172172
b.HandleFunc(prot.RPCDeleteContainerState, b.deleteContainerState)
173173
b.HandleFunc(prot.RPCUpdateContainer, b.updateContainer)
174174
b.HandleFunc(prot.RPCLifecycleNotification, b.lifecycleNotification)
175+
b.HandleFunc(prot.RPCModifyServiceSettings, b.modifyServiceSettings)
175176
}
176177

177178
// readMessage reads the message from io.Reader

internal/gcs-sidecar/handlers.go

Lines changed: 62 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,7 @@ import (
2323
oci "github.com/Microsoft/hcsshim/internal/oci"
2424
"github.com/Microsoft/hcsshim/internal/protocol/guestrequest"
2525
"github.com/Microsoft/hcsshim/internal/protocol/guestresource"
26+
"github.com/Microsoft/hcsshim/internal/vm/vmutils/etw"
2627
"github.com/Microsoft/hcsshim/internal/windevice"
2728
"github.com/Microsoft/hcsshim/pkg/annotations"
2829
"github.com/Microsoft/hcsshim/pkg/cimfs"
@@ -491,6 +492,67 @@ func (b *Bridge) lifecycleNotification(req *request) (err error) {
491492
return nil
492493
}
493494

495+
func (b *Bridge) modifyServiceSettings(req *request) (err error) {
496+
_, span := oc.StartSpan(req.ctx, "sidecar::modifyServiceSettings")
497+
defer span.End()
498+
defer func() { oc.SetSpanStatus(span, err) }()
499+
500+
// Todo: Add policy enforcement for modifying service settings
501+
modifyRequest, err := unmarshalModifyServiceSettings(req)
502+
if err != nil {
503+
return err
504+
}
505+
506+
switch modifyRequest.PropertyType {
507+
case string(prot.LogForwardService):
508+
if modifyRequest.Settings != nil {
509+
log.G(req.ctx).Tracef("modifyServiceSettings for LogForwardService with RPCModifyServiceSettings, enforcing policy for log sources")
510+
settings := modifyRequest.Settings.(*guestrequest.LogForwardServiceRPCRequest)
511+
512+
switch settings.RPCType {
513+
case guestrequest.RPCModifyServiceSettings, guestrequest.RPCStartLogForwarding, guestrequest.RPCStopLogForwarding:
514+
log.G(req.ctx).Tracef("%v request received for LogForwardService, proceeding with policy enforcement for log sources", settings.RPCType)
515+
// Enforce the policy for log sources in the request and update the settings with allowed log sources.
516+
// For cwcow, the sidecar-GCS will verify the allowed log sources against policy and append the necessary GUIDs to the ones allowed. Rest are dropped.
517+
// The Enforcer will have to unmarshal the log sources, enforce the policy and then marshal it back to a Base64 encoded JSON string which is what inbox GCS expects.
518+
// It can query etw.GetDefaultLogSources to get the default log sources if the policy allows, and allow providers matching the default list during policy enforcement.
519+
// This is because the log sources can be a combination of default and user specified log sources for which GUIDs need to be appended based on the policy enforcement.
520+
if settings.Settings != "" {
521+
// <EXAMPLE CALL>
522+
// allowedLogSources, err := b.hostState.securityOptions.PolicyEnforcer.EnforceLogForwardServiceSettingsPolicy(req.ctx, settings.LogSources)
523+
524+
// For now, we are skipping the policy enforcement and allowing all log sources as the policy enforcer implementation is in progress. We will add the enforcement back once it's implemented.
525+
allowedLogSources := settings.Settings // This is Base64 encoded JSON string of log sources
526+
log.G(req.ctx).Tracef("Allowed log sources after policy enforcement: %v", allowedLogSources)
527+
528+
// Update the allowed log sources in the settings. This will be forwarded to inbox GCS which expects the log sources in a JSON string format with GUIDs for providers included.
529+
allowedLogSources = etw.UpdateEncodedLogSources(req.ctx, allowedLogSources, false, true)
530+
settings.Settings = allowedLogSources
531+
}
532+
default:
533+
log.G(req.ctx).Tracef("modifyServiceSettings for LogForwardService with RPCType: %v, skipping policy enforcement", settings.RPCType)
534+
}
535+
modifyRequest.Settings = settings
536+
buf, err := json.Marshal(modifyRequest)
537+
if err != nil {
538+
return fmt.Errorf("failed to marshal modifyServiceSettings request: %w", err)
539+
}
540+
var newRequest request
541+
newRequest.ctx = req.ctx
542+
newRequest.header = req.header
543+
newRequest.header.Size = uint32(len(buf)) + prot.HdrSize
544+
newRequest.message = buf
545+
req = &newRequest
546+
} else {
547+
log.G(req.ctx).Tracef("modifyServiceSettings for LogForwardService with empty settings, skipping policy enforcement")
548+
}
549+
default:
550+
log.G(req.ctx).Tracef("modifyServiceSettings with PropertyType: %v, skipping policy enforcement", modifyRequest.PropertyType)
551+
}
552+
b.forwardRequestToGcs(req)
553+
return nil
554+
}
555+
494556
func volumeGUIDFromLayerPath(path string) (string, bool) {
495557
if p, ok := strings.CutPrefix(path, `\\?\Volume{`); ok {
496558
if q, ok := strings.CutSuffix(p, `}\Files`); ok {

internal/gcs-sidecar/uvm.go

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,37 @@ import (
1717
"github.com/Microsoft/hcsshim/internal/protocol/guestresource"
1818
)
1919

20+
func unmarshalModifyServiceSettings(req *request) (_ *prot.ServiceModificationRequest, err error) {
21+
ctx, span := oc.StartSpan(req.ctx, "sidecar::unmarshalModifyServiceSettings")
22+
defer span.End()
23+
defer func() { oc.SetSpanStatus(span, err) }()
24+
25+
var serviceModifyRequest prot.ServiceModificationRequest
26+
var requestRawSettings json.RawMessage
27+
serviceModifyRequest.Settings = &requestRawSettings
28+
if err := commonutils.UnmarshalJSONWithHresult(req.message, &serviceModifyRequest); err != nil {
29+
return nil, fmt.Errorf("failed to unmarshal rpcModifySettings: %w", err)
30+
}
31+
32+
if serviceModifyRequest.PropertyType != "" {
33+
switch serviceModifyRequest.PropertyType {
34+
case string(prot.LogForwardService):
35+
log.G(ctx).Info("Unmarshalling log forward service modify settings")
36+
settings := &guestrequest.LogForwardServiceRPCRequest{}
37+
if err := commonutils.UnmarshalJSONWithHresult(requestRawSettings, settings); err != nil {
38+
return nil, fmt.Errorf("invalid LogForwardService modify settings request: %w", err)
39+
}
40+
serviceModifyRequest.Settings = settings
41+
default:
42+
// Invalid request
43+
log.G(ctx).Errorf("Invalid ServiceModificationRequest: %v", serviceModifyRequest.PropertyType)
44+
return nil, fmt.Errorf("invalid ServiceModificationRequest")
45+
}
46+
}
47+
48+
return &serviceModifyRequest, nil
49+
}
50+
2051
func unmarshalContainerModifySettings(req *request) (_ *prot.ContainerModifySettings, err error) {
2152
ctx, span := oc.StartSpan(req.ctx, "sidecar::unmarshalContainerModifySettings")
2253
defer span.End()

0 commit comments

Comments
 (0)