Skip to content

C-WCOW: Enforce hashes on already mounted CIMs #2556

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
MahatiC wants to merge 2 commits into
base: main
Choose a base branch
from
Open

C-WCOW: Enforce hashes on already mounted CIMs #2556

MahatiC wants to merge 2 commits into from
+127 −14

Conversation

@MahatiC
Copy link
Member

@MahatiC MahatiC commented Nov 10, 2025

Prior to this change, Security policy verification of CIM layers (via EnforceVerifiedCIMsPolicy) occurred only during the ResourceTypeWCOWBlockCims type request. When a new container reused an already-mounted merged block CIM, it did not issue a new ResourceTypeWCOWBlockCims type request and therefore it wouldn't get recorded in the policy metadata. This PR will fix that and will enforce the CIMs on all containers including the ones that have the CIMs mounted already.

@MahatiC MahatiC marked this pull request as ready for review November 11, 2025 11:21
@MahatiC MahatiC requested a review from a team as a code owner November 11, 2025 11:21
micromaomao
micromaomao reviewed Nov 17, 2025
View reviewed changes
@anmaxvl anmaxvl added the cwcow label Dec 4, 2025
@anmaxvl anmaxvl self-assigned this Dec 4, 2025
@MahatiC
C-WCOW: Enforce hashes on already mounted CIMs
475e04f 
Signed-off-by: Mahati Chamarthy <mahati.chamarthy@gmail.com>
@MahatiC
C-WCOW: Add a test for verified CIM policy enforcement
b606172 
Signed-off-by: Mahati Chamarthy <mahati.chamarthy@gmail.com>
anmaxvl
anmaxvl reviewed Jan 14, 2026
View reviewed changes
internal/gcs-sidecar/handlers.go
containerID, settings.CombinedLayers.ContainerRootPath, settings.CombinedLayers.Layers, settings.CombinedLayers.ScratchPath)

// The layers size is only one, this is just defensive checking
if len(settings.CombinedLayers.Layers) == 1 {
Copy link
Contributor

@anmaxvl anmaxvl Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

feels like we should do something if it's not 1? The request is coming from the host, so this can be set to anything?

Copy link
Contributor

@anmaxvl anmaxvl Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also, consider reducing the nested ifs, by returning error early.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anmaxvl anmaxvl anmaxvl left review comments

+1 more reviewer

@micromaomao micromaomao micromaomao left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@anmaxvl anmaxvl

@helsaawy helsaawy

Labels

cwcow

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@MahatiC @anmaxvl @micromaomao @helsaawy