microsoft.genpolicy: log image reference on unauthorized access

edgelesssys · Dec 3, 2024 · c513151 · c513151
1 parent af71032
commit c513151
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 1 deletion.
diff --git a/...name/microsoft/genpolicy/0008-genpolicy-include-reference-in-logs-when-auth-failure.patch b/...name/microsoft/genpolicy/0008-genpolicy-include-reference-in-logs-when-auth-failure.patch
@@ -0,0 +1,22 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: jmxnzo <[email protected]>
+Date: Mon, 2 Dec 2024 12:38:04 +0100
+Subject: [PATCH] genpolicy: include reference in logs when auth failure
+
+---
+ src/tools/genpolicy/src/registry.rs | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/tools/genpolicy/src/registry.rs b/src/tools/genpolicy/src/registry.rs
+index bdce2d40e3a7c3ec34137ceb3685fcc94aedcb39..9aa1cde98cd28a8c78d652986408e7738e5d96d6 100644
+--- a/src/tools/genpolicy/src/registry.rs
++++ b/src/tools/genpolicy/src/registry.rs
+@@ -125,7 +125,7 @@ impl Container {
+                 })
+             }
+             Err(oci_distribution::errors::OciDistributionError::AuthenticationFailure(message)) => {
+-                panic!("Container image registry authentication failure ({}). Are docker credentials set-up for current user?", &message);
++                panic!("Container image registry authentication failure ({}) for {}. Are docker credentials set-up for current user?", &message, &reference.whole().as_str());
+             }
+             Err(e) => {
+                 panic!(
diff --git a/packages/by-name/microsoft/genpolicy/package.nix b/packages/by-name/microsoft/genpolicy/package.nix
@@ -57,8 +57,12 @@ rustPlatform.buildRustPackage rec {
       ./0006-genpolicy-support-HostToContainer-mount-propagation.patch
       # This patch is a port of https://github.com/kata-containers/kata-containers/pull/10136/files
       # to Microsofts genpolicy.
-      # TODO(miampf): remove when picked up by microsoft/kata-containers fork.
+      # TODO(miampf): remove when picked up by microsoft/kata-containers fork
       ./0007-genpolicy-support-for-VOLUME-definition-in-container.patch
+
+      # Simple genpolicy logging patch to include the image reference in case of authentication failure
+      # Not merged, TODO(jmxnzo): remove when error logging was reworked or oci_distribution is updated to oci_client crate on microsoft/kata-containers fork
+      ./0008-genpolicy-include-reference-in-logs-when-auth-failure.patch
     ];
   };