kata.kata-runtime: fix policy after rebase mistake

Signed-off-by: Paul Meyer <katexochen0@gmail.com>

packages/by-name/kata/kata-runtime/0009-genpolicy-allow-image_guest_pull.patch

@@ -16,12 +16,12 @@ image reference without a digest cannot be meaningfully checked, so we
 don't even bother handling that case.
 ---
  src/tools/genpolicy/genpolicy-settings.json   |    2 +-
- src/tools/genpolicy/rules.rego                |  121 +-
+ src/tools/genpolicy/rules.rego                |  116 +-
  src/tools/genpolicy/src/policy.rs             |    4 +
  src/tools/genpolicy/tests/main.rs             |    7 +-
  .../createcontainer/guest_pull/pod.yaml       |   11 +
  .../createcontainer/guest_pull/testcases.json | 2027 +++++++++++++++++
- 6 files changed, 2151 insertions(+), 21 deletions(-)
+ 6 files changed, 2147 insertions(+), 20 deletions(-)
  create mode 100644 src/tools/genpolicy/tests/testdata/createcontainer/guest_pull/pod.yaml
  create mode 100644 src/tools/genpolicy/tests/testdata/createcontainer/guest_pull/testcases.json
 
@@ -39,7 +39,7 @@ index 0e75bac710f5ab04d5ab941a79a0484663f3ae70..1b6ab8380d16fbf71638f3965719bf3a
              "source": "local",
              "fstype": "local",
 diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
-index 63d5e30ac64cdd8bab94e982423646de1b8559e6..1d1808edff203b19f266bbb81f70b05ee56d76ea 100644
+index 63d5e30ac64cdd8bab94e982423646de1b8559e6..37d6cd9b3c0867900706a9e9e671d60aae559d91 100644
 --- a/src/tools/genpolicy/rules.rego
 +++ b/src/tools/genpolicy/rules.rego
 @@ -94,7 +94,7 @@ CreateContainerRequest:= {"ops": ops, "allowed": true} {
@@ -51,7 +51,7 @@ index 63d5e30ac64cdd8bab94e982423646de1b8559e6..1d1808edff203b19f266bbb81f70b05e
 
      p_devices := p_container.devices
      allow_devices(p_devices, i_devices)
-@@ -228,38 +228,42 @@ allow_anno_key(i_key, p_oci) {
+@@ -228,38 +228,39 @@ allow_anno_key(i_key, p_oci) {
 
  # Get the value of the S_NAME_KEY annotation and
  # correlate it with other annotations and process fields.
@@ -91,19 +91,15 @@ index 63d5e30ac64cdd8bab94e982423646de1b8559e6..1d1808edff203b19f266bbb81f70b05e
      print("allow_by_sandbox_name: start")
 
 +    p_oci := p_container.OCI
-+    p_namespace := p_oci.Annotations[S_NAMESPACE_KEY]
      i_namespace := i_oci.Annotations[S_NAMESPACE_KEY]
-+    print("allow_by_sandbox_name: p_namespace =", p_namespace, "i_namespace =", i_namespace)
-+    p_namespace == i_namespace
 
--    allow_by_container_types(p_oci, i_oci, s_name, i_namespace)
+     allow_by_container_types(p_oci, i_oci, s_name, i_namespace)
 -    allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages)
-+    allow_by_container_types(p_oci, i_oci, s_name, p_namespace)
 +    allow_by_bundle_or_sandbox_id(p_container, i_oci, i_storages)
      allow_process(p_oci, i_oci, s_name)
 
      print("allow_by_sandbox_name: true")
-@@ -565,11 +569,12 @@ allow_linux_sysctl(p_linux, i_linux) {
+@@ -565,11 +566,12 @@ allow_linux_sysctl(p_linux, i_linux) {
 
  # Check the consistency of the input "io.katacontainers.pkg.oci.bundle_path"
  # and io.kubernetes.cri.sandbox-id" values with other fields.
@@ -117,7 +113,7 @@ index 63d5e30ac64cdd8bab94e982423646de1b8559e6..1d1808edff203b19f266bbb81f70b05e
      p_regex := p_oci.Annotations[key]
      sandbox_id := i_oci.Annotations[key]
 
-@@ -589,8 +594,7 @@ allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) {
+@@ -589,8 +591,7 @@ allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) {
          allow_mount(p_oci, i_mount, bundle_id, sandbox_id)
      }
 
@@ -127,7 +123,7 @@ index 63d5e30ac64cdd8bab94e982423646de1b8559e6..1d1808edff203b19f266bbb81f70b05e
 
      print("allow_by_bundle_or_sandbox_id: true")
  }
-@@ -888,30 +892,109 @@ mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) {
+@@ -888,30 +889,109 @@ mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) {
  ######################################################################
  # Create container Storages
 

packages/by-name/kata/kata-runtime/0012-genpolicy-support-mount-propagation-and-ro-mounts.patch

@@ -9,7 +9,7 @@ Subject: [PATCH] genpolicy: support mount propagation and ro-mounts
  2 files changed, 9 insertions(+), 2 deletions(-)
 
 diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
-index 1d1808edff203b19f266bbb81f70b05ee56d76ea..0e6d5dadd3a69f472a37326bb34a1b05d12bb85d 100644
+index 37d6cd9b3c0867900706a9e9e671d60aae559d91..9ad9d7119be6b5724b2343ca04e8d5df0d1bff9b 100644
 --- a/src/tools/genpolicy/rules.rego
 +++ b/src/tools/genpolicy/rules.rego
 @@ -119,7 +119,8 @@ allow_create_container_input {

packages/by-name/kata/kata-runtime/0017-genpolicy-support-guest-hooks.patch

@@ -31,10 +31,10 @@ index 1e43545320d474ce5994514165176cd8c48db425..9b95f9f7462717d04f0b9ce685d97c04
      "common": {
          "cpath": "/run/kata-containers",
 diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
-index 0e6d5dadd3a69f472a37326bb34a1b05d12bb85d..e83c35d54f273838d4b717c6c4dad03f52b1a04e 100644
+index 9ad9d7119be6b5724b2343ca04e8d5df0d1bff9b..43cb19a56fe8ea5833708f0639c9e85ddd884cb3 100644
 --- a/src/tools/genpolicy/rules.rego
 +++ b/src/tools/genpolicy/rules.rego
-@@ -1282,7 +1282,7 @@ CopyFileRequest {
+@@ -1279,7 +1279,7 @@ CopyFileRequest {
 
  CreateSandboxRequest {
      print("CreateSandboxRequest: input.guest_hook_path =", input.guest_hook_path)
@@ -43,7 +43,7 @@ index 0e6d5dadd3a69f472a37326bb34a1b05d12bb85d..e83c35d54f273838d4b717c6c4dad03f
 
      print("CreateSandboxRequest: input.kernel_modules =", input.kernel_modules)
      count(input.kernel_modules) == 0
-@@ -1293,6 +1293,21 @@ CreateSandboxRequest {
+@@ -1290,6 +1290,21 @@ CreateSandboxRequest {
      allow_sandbox_storages(input.storages)
  }