C-WCOW: Misc cleanup

Signed-off-by: Mahati Chamarthy <mahati.chamarthy@gmail.com>

Author: MahatiC

pkg/securitypolicy/framework.rego

@@ -299,7 +299,7 @@ noNewPrivileges_ok(no_new_privileges) {
 
 noNewPrivileges_ok_check(obj) {
     is_linux
-    noNewPrivileges_ok(obj.no_new_privileges)
+    noNewPrivileges_ok(obj)
 }
 
 noNewPrivileges_ok_check(obj) {
@@ -650,7 +650,7 @@ possible_container_after_caps(env_containers, is_exec) := {
     caps_list := valid_caps_for_all(env_containers, is_privileged)
     filtered := [container |
         container := env_containers[_]
-        caps_ok(get_capabilities(container, input.privileged), caps_list)
+        caps_ok(get_capabilities(container, is_privileged), caps_list)
     ]
 }
 
@@ -747,6 +747,7 @@ exec_in_container := {"metadata": [updateMatches],
                       "env_list": env_list,
                       "caps_list": caps_list,
                       "allowed": true} {
+
     container_started
 
     # narrow our matches based upon the process requested
@@ -756,7 +757,7 @@ exec_in_container := {"metadata": [updateMatches],
         # the error handling, such that error messaging correctly reflects
         # the narrowing process.
         workingDirectory_ok(container.working_dir)
-        #noNewPrivileges_ok(container.no_new_privileges)
+        noNewPrivileges_ok_check(container.no_new_privileges)
         user_ok(container.user)
         some process in container.exec_processes
         command_ok(process.command)
@@ -795,16 +796,6 @@ exec_in_container := {"metadata": [updateMatches],
     }
 }
 
-noNewPrivileges(current_container) {
-    is_linux
-    current_container.no_new_privileges
-    input.noNewPrivileges
-}
-
-noNewPrivileges(current_container) {
-    is_windows
-}
-
 default shutdown_container := {"allowed": false}
 
 shutdown_container := {"started": remove, "metadata": [remove], "allowed": true} {
@@ -1661,7 +1652,7 @@ noNewPrivileges_matches {
     some process in container.exec_processes
     command_ok(process.command)
     workingDirectory_ok(process.working_dir)
-    noNewPrivileges_ok_check(process)
+    noNewPrivileges_ok_check(process.no_new_privileges)
 }
 
 errors["invalid noNewPrivileges"] {

pkg/securitypolicy/rego_utils_test.go

@@ -1410,31 +1410,18 @@ func setupRegoCreateContainerTest(gc *generatedConstraints, testContainer *secur
 
 	// Handle user configuration based on OS type
 	user := IDName{}
-	var groups []IDName
-	var umask string
-	var capabilities *oci.LinuxCapabilities
+	if testContainer.User.UserIDName.Strategy != IDNameStrategyRegex {
+		user = buildIDNameFromConfig(testContainer.User.UserIDName, testRand)
+	}
+	groups := buildGroupIDNamesFromUser(testContainer.User, testRand)
+	umask := testContainer.User.Umask
 
-	if testOSType == "windows" {
-		// For Windows, use the WindowsUser field from the test container if available
-		/*if testContainer.WindowsUser != "" {
-			user = IDName{Name: testContainer.WindowsUser}
-		} else {
-			user = IDName{Name: generateIDNameName(testRand)}
-		}*/
+	var capabilities *oci.LinuxCapabilities
+	if testContainer.Capabilities != nil {
+		capsExternal := copyLinuxCapabilities(testContainer.Capabilities.toExternal())
+		capabilities = &capsExternal
 	} else {
-		// For Linux, use the full ID/Name strategy
-		if testContainer.User.UserIDName.Strategy != IDNameStrategyRegex {
-			user = buildIDNameFromConfig(testContainer.User.UserIDName, testRand)
-		}
-		groups = buildGroupIDNamesFromUser(testContainer.User, testRand)
-		umask = testContainer.User.Umask
-
-		if testContainer.Capabilities != nil {
-			capsExternal := copyLinuxCapabilities(testContainer.Capabilities.toExternal())
-			capabilities = &capsExternal
-		} else {
-			capabilities = nil
-		}
+		capabilities = nil
 	}
 
 	seccomp := testContainer.SeccompProfileSHA256