v0.10.0-rc.8

What's Changed

• Adding policy enforcement for User. by @matajoh in #1669
• Bump golang.org/x/sys from 0.5.0 to 0.6.0 in /test by @dependabot in #1685
• Fix silly error whereby a chain was required although unnecessary. by @KenGordon in #1682
• github-ci: use go1.19.x by @anmaxvl in #1689
• Bump github.com/containerd/ttrpc from 1.1.0 to 1.2.1 in /test by @dependabot in #1693
• tests: rego exec in uvm cri integration tests by @anmaxvl in #1648
• Fix graceful termination test errors by @kiashok in #1687
• Logging (JSON) formatting; span export by @helsaawy in #1364
• Bump actions/setup-go from 3 to 4 by @dependabot in #1696
• Fix "no matches" test that can somewhat easily match by @SeanTAllen in #1684
• Update dependencies by @helsaawy in #1697
• tests: add tests for concurrent pod startup by @anmaxvl in #1639
• Bump github.com/google/go-containerregistry from 0.13.0 to 0.14.0 in /test by @dependabot in #1700
• Bump github.com/google/go-containerregistry from 0.13.0 to 0.14.0 by @dependabot in #1701
• Adding policy for Linux capabilities. by @matajoh in #1683
• NCProxy: attach to host and macpool by @helsaawy in #1591
• Update golangci linter and clean go mod cache by @katiewasnothere in #1707
• Seccomp profile policy enforcement. by @matajoh in #1705
• upgrade runc dependency by @helsaawy in #1714
• Clarifying SVN vs. Version. by @matajoh in #1715
• sev-snp: add SEV device when security policy is present by @anmaxvl in #1679
• tests: Add rego cri-integration tests for plan9 mount policy. by @anmaxvl in #1651
• con-con: write policy, reference info and cert to container's rootfs by @anmaxvl in #1708
• Moving to structured JSON policy decisions. by @matajoh in #1718
• hack: add blanket retries on device-mapper failures with SCSI by @anmaxvl in #1720
• negative rego cri-integration tests by @anmaxvl in #1719
• tests: fix error assertion and container layer sha256 by @anmaxvl in #1725
• Create new test packages that reference internal packages by @katiewasnothere in #1704
• Make sure that security context files are readable by all by @jumaffre in #1729
• Switch from filepath.EvalSymlinks to fs.ResolvePath by @helsaawy in #1644
• Policy decision truncation. by @matajoh in #1731
• Fixing the errors for missing enforcement points by @matajoh in #1735
• tests: write seccomp profile to a temporary file by @anmaxvl in #1736
• Add code to format disk as ext4 in guest by @katiewasnothere in #1717
• Adding padding to base64 encoded policy decisions by @matajoh in #1738
• fix: bug potentially not removing RW device. by @anmaxvl in #1737
• Consolidate dependabot updates by @helsaawy in #1748
• [bug] Consolidate dependabot updates by @helsaawy in #1749
• Remove UVM/container cloning functionality by @kevpar in #1740
• gcs: Add SCSIDevice type with remove operation by @kevpar in #1741
• Remove dependence on GetScsiUvmPath function by @kevpar in #1742
• Rework layer handling to return a ResourceCloser by @kevpar in #1743
• Remove godeps from makefile by @helsaawy in #1750
• slice bounds and nil VM access fix by @helsaawy in #1754

New Contributors

• @jumaffre made their first contribution in #1729

Full Changelog: v0.10.0-rc.7...v0.10.0-rc.8

v0.9.8

What's Changed

• [release/0.9] Fix graceful termination test errors (#1687) by @kiashok in #1695

Full Changelog: v0.9.7...v0.9.8

v0.10.0-rc.7

What's Changed

• Provide error message when allow_stdio_access creates and undecideable error by @SeanTAllen in #1662
• Make a couple tests match the naming convention around them by @SeanTAllen in #1664
• Update selectContainerFromConstraints to work on a container list by @SeanTAllen in #1645
• Bump golang.org/x/net from 0.5.0 to 0.7.0 in /test by @dependabot in #1666
• Provide error message when the lack of required environment variable causes policy denial by @SeanTAllen in #1661
• tests: rego policy exec in container tests by @anmaxvl in #1635
• Fix compilation error caused by "PRs crossing in the night" by @SeanTAllen in #1668
• Adding support and policy enforcement for NoNewPrivileges. by @matajoh in #1652
• Bump golang.org/x/net from 0.1.0 to 0.7.0 by @dependabot in #1667
• Format encrypted scratch disk as xfs rather than ext4fs by @KenGordon in #1665
• Wait longer before trying to install mingw after failing to install by @SeanTAllen in #1670
• osversion: implement stringer interface, deprecate ToString() by @thaJeztah in #1547
• Bump actions/upload-artifact from 2 to 3 by @dependabot in #1677
• Bump actions/checkout from 2 to 3 by @dependabot in #1676
• Bump github.com/opencontainers/runtime-tools from 0.0.0-20181011054405-1d69bd0f9c39 to 0.9.0 in /test by @dependabot in #1674
• Use gotestsum to get test summary by @helsaawy in #1678
• simplify zeroDevice to just zero first block by @anmaxvl in #1672
• Base layer manipulation by @gabriel-samfira in #1637

Full Changelog: v0.10.0-rc.6...v0.10.0-rc.7

v0.9.7

What's Changed

• [release/0.9] Retain pause.exe as entrypoint for default pause images by @kiashok in #1634
• [release/0.9] wcow: support graceful termination of servercore containers (#1416) by @kiashok in #1640

Full Changelog: v0.9.6...v0.9.7

v0.10.0-rc.6

fix: temp file leak during hash computation (#1641)

Fix a temp file leak when computing dmverity root hash. This
mainly affects `dmverity-vhd` tool and users may see their temp
storage filling up.

Signed-off-by: Maksim An <maksiman@microsoft.com>

v0.10.0-rc.5

What's Changed

• Add logic to cleanup the oci bundle root dir on container delete by @katiewasnothere in #1597
• Retain pause.exe as entrypoint for default pause images by @kiashok in #1615
• Add missing AllowElevated policy check when creating a container by @SeanTAllen in #1624
• rego enforcer: trim whitespaces from fragment namespace name by @anmaxvl in #1627
• Make LCOWPrivileged annotation more resilient to change by @SeanTAllen in #1628
• fix snp-report: fake-report flag is now correctly parsed by @anmaxvl in #1626
• API Data and Framework Versioning. by @matajoh in #1622
• rego: fix slightly incorrect sandbox and hugepage mounts enforcement by @anmaxvl in #1625
• Fragment COSE Sign1 support. by @KenGordon in #1575
• Bump github.com/containerd/cgroups from 1.0.3 to 1.1.0 in /test by @dependabot in #1631
• Bump github.com/google/go-containerregistry from 0.12.1 to 0.13.0 in /test by @dependabot in #1632
• Bump google.golang.org/grpc from 1.51.0 to 1.52.3 in /test by @dependabot in #1633
• Bump golang.org/x/sys from 0.3.0 to 0.4.0 in /test by @dependabot in #1612
• Bump github.com/containerd/cgroups from 1.0.3 to 1.1.0 by @dependabot in #1630
• Bump github.com/google/go-containerregistry from 0.12.1 to 0.13.0 by @dependabot in #1629
• internal/tools/securitypolicy: switch to github.com/pelletier/go-toml by @thaJeztah in #1620
• Add retry to install mingw by @helsaawy in #1636
• test: Add CRI benchmarks for container operations by @helsaawy in #1569

Full Changelog: v0.10.0-rc.4...v0.10.0-rc.5

v0.10.0-rc.4

What's Changed

• Updating dependencies by @helsaawy in #1607
• policy: do not set policy to open door if none is provided by @anmaxvl in #1572
• wcow: support graceful termination of servercore containers by @kiashok in #1416
• Add 20H2 container image to test constants by @helsaawy in #1611
• Remove goversioninfo from tools.go by @helsaawy in #1616
• Adding a simulator + regopolicyinterpreter. by @matajoh in #1558
• adding tarball support for generating root layer hashes by @SethHollandsworth in #1600

Full Changelog: v0.10.0-rc.3...v0.10.0-rc.4

v0.8.25

What's Changed

• [release/0.8] Remove blocking wait on container exit for every exec created by @kiashok in #1605

Full Changelog: v0.8.24...v0.8.25

v0.10.0-rc.3

What's Changed

• Prevent operations on exited HCS objects. by @helsaawy in #1567
• Add ability in policy to allow/disallow access to stdio by @matajoh in #1594
• Remove blocking on container exit for every new exec created by @kiashok in #1601

Full Changelog: v0.10.0-rc.2...v0.10.0-rc.3

v0.9.6

What's Changed

• [release/0.9] Remove blocking wait on container exit for every exec created by @kiashok in #1604

Full Changelog: v0.9.5...v0.9.6