Add TCP and Unix Socket permissions

[FabienGhd]

Hi,

This PR fixes issue #130.
This blog also raises the same caveat when using Udica with the kata-monitor daemonset in Kata Containers, stating that:

While udica can create a good baseline policy from the container.json file, sometimes it might not be sufficient, and you will need customisations.
[...]
The kata-monitor daemonset required permissions to listen on a TCP socket and connect to a Unix socket. We had to redo the policy generation and enable network access.

I've added support for specifying additional TCP and UNIX socket permissions.

• Implemented the --tcp-connect option to specify additional TCP port permissions.
• Implemented the --unix-connect option to allow UNIX domain socket connect permissions.
• Modified policy generation logic to include these additional permissions in the generated policy file.

To easily test the changes:

# Add TCP and UNIX socket permissions to 'tests/test_basic.podman.json'
$ sudo udica -j test_basic.podman.json --tcp-connect 5432,636 --unix-connect test-container

# Verify that the new policies are added
$ cat test-container.cil | grep -E "(allow process (container_runtime_t|postgresql_port_t|ldap_port_t) \( (unix_stream_socket|tcp_socket) \( (connectto|name_connect) \)\))"

Thank you!
Fabien

[vmojzis]

Hi, thank you for the contribution and sorry the delay. I like the functionality, just please remove the additional arguments from "create_policy" and also fix formatting.

#make test
pyflakes udica
black --check --diff *.py udica/*.py tests/*.py
--- udica/policy.py	2025-03-07 18:57:19.977498+00:00
+++ udica/policy.py	2025-03-07 19:24:27.633857+00:00
@@ -104,11 +104,19 @@
         if low <= port_number <= high and port_proto == proto_str:
             return ctype
 
 
 def create_policy(
-    opts, capabilities, devices, mounts, ports, append_rules, inspect_format, tcp_ports, unix_connect
+    opts,
+    capabilities,
+    devices,
+    mounts,
+    ports,
+    append_rules,
+    inspect_format,
+    tcp_ports,
+    unix_connect,
 ):
     policy = open(opts["ContainerName"] + ".cil", "w")
     policy.write("(block " + opts["ContainerName"] + "\n")
     policy.write("    (blockinherit container)\n")
     add_template("base_container")
@@ -166,11 +174,11 @@
                 + list_ports(item["portNumber"], item["protocol"])
                 + " ( "
                 + perms.socket[item["protocol"]]
                 + " (  name_bind ))) \n"
             )
-    
+
     # TCP connect permissions
     for port in tcp_ports:
         policy.write(
             "    (allow process "
             + list_ports(port, "tcp")
would reformat udica/policy.py

Oh no! 💥 💔 💥
1 file would be reformatted, 12 files would be left unchanged.
make: *** [Makefile:19: format-check] Error 1