Skip to content

C-WCOW: Enforce hashes on already mounted CIMs #2556

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
MahatiC wants to merge 3 commits into
base: main
Choose a base branch
from
Open

C-WCOW: Enforce hashes on already mounted CIMs #2556

MahatiC wants to merge 3 commits into from
+131 −14

Conversation

@MahatiC
Copy link
Member

@MahatiC MahatiC commented Nov 10, 2025
edited
Loading

Prior to this change, if you had two containers with the same image layers, the second container would not get captured in the SecurityPolicy metadata and hence would not enforce the policy. SecurityPolicy pkg captures container image layer hashes and associates them with the ContainerID during CIM mount operation. But because the CIMs are already mounted (for the previous container), this process would not occur for the second container with the same layers.

This change caches the image layer hashes for each container and SecurityPolicy instance will capture it in the metadata later on (during layer combining) if it wasn't already captured previously for this ContainerID and enforces policy.

@MahatiC MahatiC marked this pull request as ready for review November 11, 2025 11:21
@MahatiC MahatiC requested a review from a team as a code owner November 11, 2025 11:21
micromaomao
micromaomao reviewed Nov 17, 2025
View reviewed changes
@anmaxvl anmaxvl added the cwcow label Dec 4, 2025
@anmaxvl anmaxvl self-assigned this Dec 4, 2025
anmaxvl
anmaxvl reviewed Jan 14, 2026
View reviewed changes
@MahatiC MahatiC force-pushed the enforce-hashes branch 3 times, most recently from 3c87763 to 1758527 Compare January 16, 2026 17:00
helsaawy
helsaawy reviewed Jan 27, 2026
View reviewed changes
Copy link
Contributor

@helsaawy helsaawy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nits, but LGTM

@MahatiC MahatiC force-pushed the enforce-hashes branch 5 times, most recently from 3df5e5b to 33dfbbd Compare January 29, 2026 17:45
@anmaxvl
Copy link
Contributor

anmaxvl commented Jan 30, 2026

needs a rebase.

@MahatiC
C-WCOW: Enforce hashes on already mounted CIMs
58690e0 
Signed-off-by: Mahati Chamarthy <mahati.chamarthy@gmail.com>
@MahatiC
C-WCOW: Add a test for verified CIM policy enforcement
4e78d26 
Signed-off-by: Mahati Chamarthy <mahati.chamarthy@gmail.com>
@MahatiC
C-WCOW: Use guid.GUID instead of string
2f44bbc 
Signed-off-by: Mahati Chamarthy <mahati.chamarthy@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anmaxvl anmaxvl anmaxvl approved these changes

@helsaawy helsaawy helsaawy approved these changes

+1 more reviewer

@micromaomao micromaomao micromaomao left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@anmaxvl anmaxvl

@helsaawy helsaawy

Labels

cwcow

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@MahatiC @anmaxvl @micromaomao @helsaawy