WIP: Implement ResourceTypeSecurityPolicy

cmd/gcs-sidecar/internal/bridge/bridge.go

@@ -15,6 +15,7 @@
 	"github.com/pkg/errors"
 	"golang.org/x/sys/windows"
 
+	"github.com/Microsoft/hcsshim/cmd/gcs-sidecar/internal/windowssecuritypolicy"
 	"github.com/Microsoft/hcsshim/internal/guest/gcserr"
 )
 
@@ -25,14 +26,27 @@
 // - cherry pick commit to add annotations for securityPolicy
 // - shimdiag.exe exec uvmID
 // TODO: Do we need to support schema1 request types?
 type requestMessage interface {
 	Base() *requestBase
 }
 
 type responseMessage interface {
 	Base() *responseBase
 }
 
+type messageHeader struct {
+	Type uint32
+	Size uint32
+	ID   int64
+}
+
+type bridgeResponse struct {
+	// ctx is the context created on request read
+	// ctx      context.Context
+	header   *messageHeader
+	response interface{}
+}
+
 /*
 // rpc represents an outstanding rpc request to the guest
 type rpc struct {
@@ -69,6 +83,34 @@
 	// waitCh chan struct{}
 
 	quitChan chan error
+
+	PolicyEnforcer *SecurityPoliyEnforcer
+}
+
+type SecurityPoliyEnforcer struct {
+	// state required for the security policy enforcement
+	policyMutex               sync.Mutex
+	securityPolicyEnforcer    windowssecuritypolicy.SecurityPolicyEnforcer
+	securityPolicyEnforcerSet bool
+	uvmReferenceInfo          string
+}
+
+func NewBridge(shimConn io.ReadWriteCloser, inboxGCSConn io.ReadWriteCloser) *Bridge {
+	return &Bridge{
+		shimConn:      shimConn,
+		inboxGCSConn:  inboxGCSConn,
+		handlerList:   make(map[rpcProc]HandlerFunc),
+		sendToGCSChan: make(chan request),
+		sendToShimCh:  make(chan request),
+		quitChan:      make(chan error),
+	}
+}
+
+func NewPolicyEnforcer(initialEnforcer windowssecuritypolicy.SecurityPolicyEnforcer) *SecurityPoliyEnforcer {
+	return &SecurityPoliyEnforcer{
+		securityPolicyEnforcerSet: false,
+		securityPolicyEnforcer:    initialEnforcer,
+	}
 }
 
 // TODO: rename request to bridgeMessage
@@ -98,17 +140,6 @@
 	message []byte
 }
 
-func NewBridge(shimConn io.ReadWriteCloser, inboxGCSConn io.ReadWriteCloser) *Bridge {
-	return &Bridge{
-		shimConn:      shimConn,
-		inboxGCSConn:  inboxGCSConn,
-		handlerList:   make(map[rpcProc]HandlerFunc),
-		sendToGCSChan: make(chan request),
-		sendToShimCh:  make(chan request),
-		quitChan:      make(chan error),
-	}
-}
-
 // UnknownMessage represents the default handler logic for an unmatched request
 // type sent from the bridge.
 func UnknownMessage(r *request) error {
@@ -184,12 +215,6 @@
 	b.HandleFunc(rpcLifecycleNotification, b.lifecycleNotification) // TODO: Validate this request as well?
 }
 
-type messageHeader struct {
-	Type uint32
-	Size uint32
-	ID   int64
-}
-
 func readMessage(r io.Reader) (request, error) {
 	var h [hdrSize]byte
 	_, err := io.ReadFull(r, h[:])
@@ -273,14 +298,14 @@
 					// 2. Code cleanup on error
 					// ? b.close(err)
 					// b.quitCh <- true // give few seconds delay and close connections?
-					b.close(err)
 					return
 				}
 
 				// If we are here, means that the requested operation is allowed.
 				// Forward message to GCS. We handle responses from GCS separately.
+
 				log.Printf("hcsshim receive message redirect")
-				b.sendToGCSChan <- req
+				// b.sendToGCSChan <- req
 			}(req)
 		}
 	}()
@@ -289,7 +314,7 @@
 		for req := range b.sendToGCSChan {
 			// reconstruct message and forward to gcs
 			var buf bytes.Buffer
-			log.Printf("bridge send to gcs")
+			log.Printf("bridge send to gcs, req %v", req)
 			if b.prepareMessageAndSend(req.header, req.message, &buf, b.inboxGCSConn) != nil {
 				// kill bridge?
 				log.Printf("err sending message to ")
@@ -349,6 +374,10 @@
 	}
 }
 
+func (b *Bridge) forwardMessageToGCS(req request) {
+	b.sendToGCSChan <- req
+}
+
 func (b *Bridge) close(err error) {
 	// TODO: Fail outstanding rpc requests before closing bridge and other channels
 	// This is important to do as valid errors need to be recorded by callers and fail