do not require policy.json

we are having second thoughts about *requiring* a policy.json on podman
machine hosts.  we are concerned that we need to work out some more use
cases to be sure we do not make choices now that limit us in the near
term future. for example, should the policy files be the same for
container images and machine images? And should one live on the host
machine and the other live in the machine?

therefore, if a policy.json *is* present in the correct location, we will use and honor it; however, if it does not, we will allow the machine image to be pulled without a policy.

Signed-off-by: Brent Baude <baude@redhat.com>
Co-authored-by: Paul Holzinger <45212748+Luap99@users.noreply.github.com>
Signed-off-by: Brent Baude <bbaude@redhat.com>

Makefile

@@ -103,7 +103,6 @@ FISHINSTALLDIR=${PREFIX}/share/fish/vendor_completions.d
 
 SELINUXOPT ?= $(shell test -x /usr/sbin/selinuxenabled && selinuxenabled && echo -Z)
 
-MACHINE_POLICY_JSON_DIR ?= .
 
 COMMIT_NO ?= $(shell git rev-parse HEAD 2> /dev/null || true)
 GIT_COMMIT ?= $(if $(shell git status --porcelain --untracked-files=no),$(call err_if_empty,COMMIT_NO)-dirty,$(COMMIT_NO))
@@ -121,7 +120,6 @@ LDFLAGS_PODMAN ?= \
 	-X $(LIBPOD)/config._installPrefix=$(PREFIX) \
 	-X $(LIBPOD)/config._etcDir=$(ETCDIR) \
 	-X $(PROJECT)/v5/pkg/systemd/quadlet._binDir=$(BINDIR) \
-	-X $(PROJECT)/v5/pkg/machine/ocipull.DefaultPolicyJSONPath=$(MACHINE_POLICY_JSON_DIR) \
 	-X github.com/containers/common/pkg/config.additionalHelperBinariesDir=$(HELPER_BINARIES_DIR)\
 	$(EXTRA_LDFLAGS)
 LDFLAGS_PODMAN_STATIC ?= \
@@ -782,10 +780,6 @@ podman-remote-release-%.zip: test/version/version ## Build podman-remote for %=$
 	cp -r ./docs/build/remote/$(GOOS) "$(tmpsubdir)/$(releasedir)/docs/"
 	cp ./contrib/remote/containers.conf "$(tmpsubdir)/$(releasedir)/"
 	$(MAKE) $(GOPLAT) $(_dstargs) SELINUXOPT="" install.remote
-	# Placing the policy file in the bin directory is intentional This
-	# could be changed in the future to mirror LSB on Linux/Unix but would
-	# require path resolution logic changes to sustain the Win flat model
-	cp ./pkg/machine/ocipull/policy.json "$(tmpsubdir)/$(releasedir)/$(RELEASE_PREFIX)/bin"
 	cd "$(tmpsubdir)" && \
 		zip --recurse-paths "$(CURDIR)/$@" "./$(releasedir)"
 	if [[ "$(GOARCH)" != "$(NATIVE_GOARCH)" ]]; then $(MAKE) clean-binaries; fi

contrib/pkginstaller/Makefile

@@ -47,8 +47,9 @@ package_root: clean-pkgroot $(TMP_BIN)/gvproxy $(TMP_BIN)/vfkit
 	cp $(TMP_BIN)/gvproxy $(PACKAGE_ROOT)/podman/bin/
 	cp $(TMP_BIN)/vfkit $(PACKAGE_ROOT)/podman/bin/
 	chmod a+x $(PACKAGE_ROOT)/podman/bin/*
-	mkdir $(PACKAGE_ROOT)/podman/config
-	cp ../../pkg/machine/ocipull/policy.json $(PACKAGE_ROOT)/podman/config/policy.json
+	# Leaving for future considerations
+	# mkdir $(PACKAGE_ROOT)/podman/config
+	# cp ../../pkg/machine/ocipull/policy.json $(PACKAGE_ROOT)/podman/config/policy.json
 
 %: %.in podman_version
 	@sed -e 's/__VERSION__/'$(shell ../../test/version/version)'/g' $< >$@

contrib/pkginstaller/package.sh

@@ -41,7 +41,7 @@ function build_podman() {
 }
 
 function build_podman_arch(){
-    make -B GOARCH="$1" podman-remote HELPER_BINARIES_DIR="${HELPER_BINARIES_DIR}" MACHINE_POLICY_JSON_DIR="${MACHINE_POLICY_JSON_DIR}"
+    make -B GOARCH="$1" podman-remote HELPER_BINARIES_DIR="${HELPER_BINARIES_DIR}"
     make -B GOARCH="$1" podman-mac-helper
     mkdir -p "${tmpBin}"
     cp bin/darwin/podman "${tmpBin}/podman-$1"

contrib/win-installer/build.ps1

@@ -144,13 +144,13 @@ if ($gvExists) {
     $env:UseGVProxy = "Skip"
 }
 
-$pExists = Test-Path "artifacts/policy.json"
-if ($pExists) {
-    Remove-Item Env:\IncludePolicyJSON -ErrorAction SilentlyContinue
-} else {
-    $env:IncludePolicyJSON = "Skip"
-}
-
+# Retaining for possible future additions
+# $pExists = Test-Path "artifacts/policy.json"
+# if ($pExists) {
+#     Remove-Item Env:\IncludePolicyJSON -ErrorAction SilentlyContinue
+# } else {
+#     $env:IncludePolicyJSON = "Skip"
+# }
 .\build-msi.bat $ENV:INSTVER; ExitOnError
 SignItem @("podman.msi")
 

contrib/win-installer/podman.wxs

@@ -12,11 +12,6 @@
     <?define UseGVProxy = ""?>
   <?endif?>
 
-  <?ifdef env.IncludePolicyJSON?>
-    <?define IncludePolicyJSON = "$(env.IncludePolicyJSON)"?>
-  <?else?>
-    <?define IncludePolicyJSON = ""?>
-  <?endif?>
 
   <Product Name="Podman $(var.VERSION)" Id="*" UpgradeCode="696BAB5D-CA1F-4B05-B123-320F245B8D6D" Version="$(var.VERSION)" Language="1033" Manufacturer="Red Hat Inc.">
 
@@ -47,11 +42,6 @@
               <File Id="GvProxyExecutableFile" Name="gvproxy.exe" Source="artifacts/gvproxy.exe" KeyPath="yes"/>
             </Component>
             <?endif?>
-            <?if $(var.IncludePolicyJSON) != Skip?>
-            <Component Id="PolicyJSON" Guid="C6135EDA-7C17-4A0E-BC52-5AB38BD54A61" Win64="yes">
-              <File Id="PolicyJSONFile" Name="policy.json" Source="artifacts/policy.json" KeyPath="yes"/>
-            </Component>
-            <?endif?>
             <Component Id="GuideHTMLComponent" Guid="8B23C76B-F7D4-4030-8C46-1B5729E616B5" Win64="yes">
               <File Id="GuideHTMLFile"  Name="welcome-podman.html" Source="docs/podman-for-windows.html" KeyPath="yes"/>
             </Component>
@@ -85,9 +75,6 @@
       <?if $(var.UseGVProxy) != Skip?>
       <ComponentRef Id="GvProxyExecutable"/>
       <?endif?>
-      <?if $(var.IncludePolicyJSON) != Skip?>
-      <ComponentRef Id="PolicyJSON"/>
-      <?endif?>
       <ComponentRef Id="GuideHTMLComponent"/>
       <ComponentGroupRef Id="ManFiles"/>
       <ComponentGroupRef Id="WSLFeature"/>

contrib/win-installer/process-release.ps1

@@ -135,12 +135,13 @@ try {
         Copy-Artifact("gvproxy.exe")
     }
 
-    $loc = Get-ChildItem -Recurse -Path . -Name policy.json
-    if (!$loc) {
-        Write-Host "Skipping policy.json artifact"
-    } else {
-        Copy-Artifact("policy.json")
-    }
+    # Retaining for future additions
+    # $loc = Get-ChildItem -Recurse -Path . -Name policy.json
+    # if (!$loc) {
+    #     Write-Host "Skipping policy.json artifact"
+    # } else {
+    #     Copy-Artifact("policy.json")
+    # }
 
     $docsloc = Get-ChildItem -Path . -Name docs -Recurse
     $loc = Get-ChildItem -Recurse -Path . -Name podman-for-windows.html

pkg/machine/ocipull/policy.go

@@ -1,9 +1,10 @@
 package ocipull
 
 import (
-	"fmt"
 	"os"
 	"path/filepath"
+
+	"github.com/sirupsen/logrus"
 )
 
 // DefaultPolicyJSONPath should be overwritten at build time with the real path to the directory where
@@ -15,33 +16,18 @@ var DefaultPolicyJSONPath = ""
 
 const policyfile = "policy.json"
 
-type defaultPolicyError struct {
-	errs []error
-}
-
-func (e *defaultPolicyError) Error() string {
-	return fmt.Sprintf("no DefaultPolicyJSONPath defined and no local overwrites found: %q", e.errs)
-}
-
-func policyPath() (string, error) {
+// policyPaths returns a slice of possible directories where a policy.json might live
+func policyPaths() []string {
 	paths := localPolicyOverwrites()
-	errs := make([]error, 0, len(paths))
-	for _, path := range paths {
-		_, err := os.Stat(path)
-		if err == nil {
-			return path, nil
-		}
-		errs = append(errs, err)
-	}
 	if DefaultPolicyJSONPath != "" {
 		if filepath.IsAbs(DefaultPolicyJSONPath) {
-			return filepath.Join(DefaultPolicyJSONPath, policyfile), nil
+			return append(paths, filepath.Join(DefaultPolicyJSONPath, policyfile))
 		}
 		p, err := os.Executable()
 		if err != nil {
-			return "", fmt.Errorf("could not resolve relative path to binary: %w", err)
+			logrus.Warnf("could not resolve relative path to binary: %q", err)
 		}
-		return filepath.Join(filepath.Dir(p), DefaultPolicyJSONPath, policyfile), nil
+		paths = append(paths, filepath.Join(filepath.Dir(p), DefaultPolicyJSONPath, policyfile))
 	}
-	return "", &defaultPolicyError{errs: errs}
+	return paths
 }

pkg/machine/ocipull/pull.go

@@ -2,7 +2,9 @@ package ocipull
 
 import (
 	"context"
+	"errors"
 	"fmt"
+	"io/fs"
 	"os"
 
 	"github.com/containers/buildah/pkg/parse"
@@ -13,6 +15,7 @@ import (
 	"github.com/containers/image/v5/transports/alltransports"
 	"github.com/containers/image/v5/types"
 	"github.com/containers/podman/v5/pkg/machine/define"
+	"github.com/sirupsen/logrus"
 )
 
 // PullOptions includes data to alter certain knobs when pulling a source
@@ -26,8 +29,17 @@ type PullOptions struct {
 	Quiet bool
 }
 
+var (
+	// noSignaturePolicy is a default policy if policy.json is not found on
+	// the host machine.
+	noSignaturePolicy string = `{"default":[{"type":"insecureAcceptAnything"}]}`
+)
+
 // Pull `imageInput` from a container registry to `sourcePath`.
 func Pull(ctx context.Context, imageInput types.ImageReference, localDestPath *define.VMFile, options *PullOptions) error {
+	var (
+		policy *signature.Policy
+	)
 	destRef, err := layout.ParseReference(localDestPath.GetPath())
 	if err != nil {
 		return err
@@ -44,15 +56,28 @@ func Pull(ctx context.Context, imageInput types.ImageReference, localDestPath *d
 		sysCtx.DockerAuthConfig = authConf
 	}
 
-	path, err := policyPath()
-	if err != nil {
-		return err
+	// Policy paths returns a slice of directories where the policy.json
+	// may live.  Iterate those directories and try to see if any are
+	// valid ignoring when the file does not exist
+	for _, path := range policyPaths() {
+		policy, err = signature.NewPolicyFromFile(path)
+		if err != nil {
+			if errors.Is(err, fs.ErrNotExist) {
+				continue
+			}
+			return fmt.Errorf("reading signature policy: %w", err)
+		}
 	}
 
-	policy, err := signature.NewPolicyFromFile(path)
-	if err != nil {
-		return fmt.Errorf("obtaining signature policy: %w", err)
+	// If no policy has been found yet, we use a no signature policy automatically
+	if policy == nil {
+		logrus.Debug("no signature policy file found: using default allow everything signature policy")
+		policy, err = signature.NewPolicyFromBytes([]byte(noSignaturePolicy))
+		if err != nil {
+			return fmt.Errorf("obtaining signature policy: %w", err)
+		}
 	}
+
 	policyContext, err := signature.NewPolicyContext(policy)
 	if err != nil {
 		return fmt.Errorf("creating new signature policy context: %w", err)