From b0ed69d4021d0eea71460c7e41e4d6f975b0fc10 Mon Sep 17 00:00:00 2001
From: Matheus Moraes <matheusfaria.moraes@gmail.com>
Date: Wed, 13 Mar 2024 16:52:10 -0300
Subject: [PATCH] feat: update M-113 to fail for any explicitly bad setter
 (including pod-level)

---
 internal/builtins/pss/restricted/M-113_run_as_non_root.yml | 7 ++++++-
 .../builtins/pss/restricted/M-113_run_as_non_root_test.yml | 2 +-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/internal/builtins/pss/restricted/M-113_run_as_non_root.yml b/internal/builtins/pss/restricted/M-113_run_as_non_root.yml
index a53abfa..6b446cb 100644
--- a/internal/builtins/pss/restricted/M-113_run_as_non_root.yml
+++ b/internal/builtins/pss/restricted/M-113_run_as_non_root.yml
@@ -47,6 +47,10 @@ variables:
   - name: podRunAsNonRoot
     expression: podSpec.?securityContext.?runAsNonRoot.orValue(false)
 
+  # pod-level runAsNonRoot is explicitly set to false
+  - name: podRunAsRoot
+    expression: podSpec.?securityContext.?runAsNonRoot.orValue(true) == false
+
   # pod-level runAsUser is explicitly set to non-zero
   - name: podRunAsNonZeroUser
     expression: podSpec.?securityContext.?runAsUser.orValue(0) != 0
@@ -71,4 +75,5 @@ variables:
       )
 
 validations:
-  - expression: variables.explicitlyBadContainers.size() == 0 && variables.implicitlyBadContainers.size() == 0
+  - expression: >
+      !variables.podRunAsRoot && variables.explicitlyBadContainers.size() == 0 && variables.implicitlyBadContainers.size() == 0
diff --git a/internal/builtins/pss/restricted/M-113_run_as_non_root_test.yml b/internal/builtins/pss/restricted/M-113_run_as_non_root_test.yml
index f3af73f..6fb16de 100644
--- a/internal/builtins/pss/restricted/M-113_run_as_non_root_test.yml
+++ b/internal/builtins/pss/restricted/M-113_run_as_non_root_test.yml
@@ -57,7 +57,7 @@
           app: nginx
 
 - name: "Pod set runAsNonRoot to false and container to true"
-  pass: true
+  pass: false
   input: |
     apiVersion: apps/v1
     kind: Deployment