Merge pull request #22014 from baude/norqdpolicy

do not require policy.json

Makefile

@@ -103,7 +103,6 @@ FISHINSTALLDIR=${PREFIX}/share/fish/vendor_completions.d
 
 SELINUXOPT ?= $(shell test -x /usr/sbin/selinuxenabled && selinuxenabled && echo -Z)
 
-MACHINE_POLICY_JSON_DIR ?= .
 
 COMMIT_NO ?= $(shell git rev-parse HEAD 2> /dev/null || true)
 GIT_COMMIT ?= $(if $(shell git status --porcelain --untracked-files=no),$(call err_if_empty,COMMIT_NO)-dirty,$(COMMIT_NO))
@@ -121,7 +120,6 @@ LDFLAGS_PODMAN ?= \
 	-X $(LIBPOD)/config._installPrefix=$(PREFIX) \
 	-X $(LIBPOD)/config._etcDir=$(ETCDIR) \
 	-X $(PROJECT)/v5/pkg/systemd/quadlet._binDir=$(BINDIR) \
-	-X $(PROJECT)/v5/pkg/machine/ocipull.DefaultPolicyJSONPath=$(MACHINE_POLICY_JSON_DIR) \
 	-X github.com/containers/common/pkg/config.additionalHelperBinariesDir=$(HELPER_BINARIES_DIR)\
 	$(EXTRA_LDFLAGS)
 LDFLAGS_PODMAN_STATIC ?= \
@@ -782,10 +780,6 @@ podman-remote-release-%.zip: test/version/version ## Build podman-remote for %=$
 	cp -r ./docs/build/remote/$(GOOS) "$(tmpsubdir)/$(releasedir)/docs/"
 	cp ./contrib/remote/containers.conf "$(tmpsubdir)/$(releasedir)/"
 	$(MAKE) $(GOPLAT) $(_dstargs) SELINUXOPT="" install.remote
-	# Placing the policy file in the bin directory is intentional This
-	# could be changed in the future to mirror LSB on Linux/Unix but would
-	# require path resolution logic changes to sustain the Win flat model
-	cp ./pkg/machine/ocipull/policy.json "$(tmpsubdir)/$(releasedir)/$(RELEASE_PREFIX)/bin"
 	cd "$(tmpsubdir)" && \
 		zip --recurse-paths "$(CURDIR)/$@" "./$(releasedir)"
 	if [[ "$(GOARCH)" != "$(NATIVE_GOARCH)" ]]; then $(MAKE) clean-binaries; fi

contrib/pkginstaller/Makefile

@@ -47,8 +47,9 @@ package_root: clean-pkgroot $(TMP_BIN)/gvproxy $(TMP_BIN)/vfkit
 	cp $(TMP_BIN)/gvproxy $(PACKAGE_ROOT)/podman/bin/
 	cp $(TMP_BIN)/vfkit $(PACKAGE_ROOT)/podman/bin/
 	chmod a+x $(PACKAGE_ROOT)/podman/bin/*
-	mkdir $(PACKAGE_ROOT)/podman/config
-	cp ../../pkg/machine/ocipull/policy.json $(PACKAGE_ROOT)/podman/config/policy.json
+	# Leaving for future considerations
+	# mkdir $(PACKAGE_ROOT)/podman/config
+	# cp ../../pkg/machine/ocipull/policy.json $(PACKAGE_ROOT)/podman/config/policy.json
 
 %: %.in podman_version
 	@sed -e 's/__VERSION__/'$(shell ../../test/version/version)'/g' $< >$@

contrib/pkginstaller/package.sh

@@ -41,7 +41,7 @@ function build_podman() {
 }
 
 function build_podman_arch(){
-    make -B GOARCH="$1" podman-remote HELPER_BINARIES_DIR="${HELPER_BINARIES_DIR}" MACHINE_POLICY_JSON_DIR="${MACHINE_POLICY_JSON_DIR}"
+    make -B GOARCH="$1" podman-remote HELPER_BINARIES_DIR="${HELPER_BINARIES_DIR}"
     make -B GOARCH="$1" podman-mac-helper
     mkdir -p "${tmpBin}"
     cp bin/darwin/podman "${tmpBin}/podman-$1"

contrib/win-installer/build.ps1

@@ -144,13 +144,13 @@ if ($gvExists) {
     $env:UseGVProxy = "Skip"
 }
 
-$pExists = Test-Path "artifacts/policy.json"
-if ($pExists) {
-    Remove-Item Env:\IncludePolicyJSON -ErrorAction SilentlyContinue
-} else {
-    $env:IncludePolicyJSON = "Skip"
-}
-
+# Retaining for possible future additions
+# $pExists = Test-Path "artifacts/policy.json"
+# if ($pExists) {
+#     Remove-Item Env:\IncludePolicyJSON -ErrorAction SilentlyContinue
+# } else {
+#     $env:IncludePolicyJSON = "Skip"
+# }
 .\build-msi.bat $ENV:INSTVER; ExitOnError
 SignItem @("podman.msi")
 

contrib/win-installer/podman.wxs

@@ -12,11 +12,6 @@
     <?define UseGVProxy = ""?>
   <?endif?>
 
-  <?ifdef env.IncludePolicyJSON?>
-    <?define IncludePolicyJSON = "$(env.IncludePolicyJSON)"?>
-  <?else?>
-    <?define IncludePolicyJSON = ""?>
-  <?endif?>
 
   <Product Name="Podman $(var.VERSION)" Id="*" UpgradeCode="696BAB5D-CA1F-4B05-B123-320F245B8D6D" Version="$(var.VERSION)" Language="1033" Manufacturer="Red Hat Inc.">
 
@@ -47,11 +42,6 @@
               <File Id="GvProxyExecutableFile" Name="gvproxy.exe" Source="artifacts/gvproxy.exe" KeyPath="yes"/>
             </Component>
             <?endif?>
-            <?if $(var.IncludePolicyJSON) != Skip?>
-            <Component Id="PolicyJSON" Guid="C6135EDA-7C17-4A0E-BC52-5AB38BD54A61" Win64="yes">
-              <File Id="PolicyJSONFile" Name="policy.json" Source="artifacts/policy.json" KeyPath="yes"/>
-            </Component>
-            <?endif?>
             <Component Id="GuideHTMLComponent" Guid="8B23C76B-F7D4-4030-8C46-1B5729E616B5" Win64="yes">
               <File Id="GuideHTMLFile"  Name="welcome-podman.html" Source="docs/podman-for-windows.html" KeyPath="yes"/>
             </Component>
@@ -85,9 +75,6 @@
       <?if $(var.UseGVProxy) != Skip?>
       <ComponentRef Id="GvProxyExecutable"/>
       <?endif?>
-      <?if $(var.IncludePolicyJSON) != Skip?>
-      <ComponentRef Id="PolicyJSON"/>
-      <?endif?>
       <ComponentRef Id="GuideHTMLComponent"/>
       <ComponentGroupRef Id="ManFiles"/>
       <ComponentGroupRef Id="WSLFeature"/>

contrib/win-installer/process-release.ps1

@@ -135,12 +135,13 @@ try {
         Copy-Artifact("gvproxy.exe")
     }
 
-    $loc = Get-ChildItem -Recurse -Path . -Name policy.json
-    if (!$loc) {
-        Write-Host "Skipping policy.json artifact"
-    } else {
-        Copy-Artifact("policy.json")
-    }
+    # Retaining for future additions
+    # $loc = Get-ChildItem -Recurse -Path . -Name policy.json
+    # if (!$loc) {
+    #     Write-Host "Skipping policy.json artifact"
+    # } else {
+    #     Copy-Artifact("policy.json")
+    # }
 
     $docsloc = Get-ChildItem -Path . -Name docs -Recurse
     $loc = Get-ChildItem -Recurse -Path . -Name podman-for-windows.html

pkg/machine/ocipull/policy.go

@@ -1,9 +1,10 @@
 package ocipull
 
 import (
-	"fmt"
 	"os"
 	"path/filepath"
+
+	"github.com/sirupsen/logrus"
 )
 
 // DefaultPolicyJSONPath should be overwritten at build time with the real path to the directory where
@@ -15,33 +16,18 @@ var DefaultPolicyJSONPath = ""
 
 const policyfile = "policy.json"
 
-type defaultPolicyError struct {
-	errs []error
-}
-
-func (e *defaultPolicyError) Error() string {
-	return fmt.Sprintf("no DefaultPolicyJSONPath defined and no local overwrites found: %q", e.errs)
-}
-
-func policyPath() (string, error) {
+// policyPaths returns a slice of possible directories where a policy.json might live
+func policyPaths() []string {
 	paths := localPolicyOverwrites()
-	errs := make([]error, 0, len(paths))
-	for _, path := range paths {
-		_, err := os.Stat(path)
-		if err == nil {
-			return path, nil
-		}
-		errs = append(errs, err)
-	}
 	if DefaultPolicyJSONPath != "" {
 		if filepath.IsAbs(DefaultPolicyJSONPath) {
-			return filepath.Join(DefaultPolicyJSONPath, policyfile), nil
+			return append(paths, filepath.Join(DefaultPolicyJSONPath, policyfile))
 		}
 		p, err := os.Executable()
 		if err != nil {
-			return "", fmt.Errorf("could not resolve relative path to binary: %w", err)
+			logrus.Warnf("could not resolve relative path to binary: %q", err)
 		}
-		return filepath.Join(filepath.Dir(p), DefaultPolicyJSONPath, policyfile), nil
+		paths = append(paths, filepath.Join(filepath.Dir(p), DefaultPolicyJSONPath, policyfile))
 	}
-	return "", &defaultPolicyError{errs: errs}
+	return paths
 }

pkg/machine/ocipull/pull.go

@@ -2,7 +2,9 @@ package ocipull
 
 import (
 	"context"
+	"errors"
 	"fmt"
+	"io/fs"
 	"os"
 
 	"github.com/containers/buildah/pkg/parse"
@@ -13,6 +15,7 @@ import (
 	"github.com/containers/image/v5/transports/alltransports"
 	"github.com/containers/image/v5/types"
 	"github.com/containers/podman/v5/pkg/machine/define"
+	"github.com/sirupsen/logrus"
 )
 
 // PullOptions includes data to alter certain knobs when pulling a source
@@ -26,8 +29,17 @@ type PullOptions struct {
 	Quiet bool
 }
 
+var (
+	// noSignaturePolicy is a default policy if policy.json is not found on
+	// the host machine.
+	noSignaturePolicy string = `{"default":[{"type":"insecureAcceptAnything"}]}`
+)
+
 // Pull `imageInput` from a container registry to `sourcePath`.
 func Pull(ctx context.Context, imageInput types.ImageReference, localDestPath *define.VMFile, options *PullOptions) error {
+	var (
+		policy *signature.Policy
+	)
 	destRef, err := layout.ParseReference(localDestPath.GetPath())
 	if err != nil {
 		return err
@@ -44,15 +56,28 @@ func Pull(ctx context.Context, imageInput types.ImageReference, localDestPath *d
 		sysCtx.DockerAuthConfig = authConf
 	}
 
-	path, err := policyPath()
-	if err != nil {
-		return err
+	// Policy paths returns a slice of directories where the policy.json
+	// may live.  Iterate those directories and try to see if any are
+	// valid ignoring when the file does not exist
+	for _, path := range policyPaths() {
+		policy, err = signature.NewPolicyFromFile(path)
+		if err != nil {
+			if errors.Is(err, fs.ErrNotExist) {
+				continue
+			}
+			return fmt.Errorf("reading signature policy: %w", err)
+		}
 	}
 
-	policy, err := signature.NewPolicyFromFile(path)
-	if err != nil {
-		return fmt.Errorf("obtaining signature policy: %w", err)
+	// If no policy has been found yet, we use a no signature policy automatically
+	if policy == nil {
+		logrus.Debug("no signature policy file found: using default allow everything signature policy")
+		policy, err = signature.NewPolicyFromBytes([]byte(noSignaturePolicy))
+		if err != nil {
+			return fmt.Errorf("obtaining signature policy: %w", err)
+		}
 	}
+
 	policyContext, err := signature.NewPolicyContext(policy)
 	if err != nil {
 		return fmt.Errorf("creating new signature policy context: %w", err)