policy: enable proxy network from source policy caps by tonistiigi · Pull Request #3895 · docker/buildx

tonistiigi · 2026-06-10T06:32:30Z

Evaluate source policy caps before solve requests so policies can enable
BuildKit proxy networking. Policy can return caps {"exec.proxy": true}
during the caps request to enable proxy network
support for the solve.

Evaluate source policy caps before solve requests so policies can enable BuildKit proxy networking. Policy can return caps {"exec.proxy": true} during the caps request to enable proxy network support for the solve. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>

crazy-max · 2026-06-10T14:53:44Z

+			if err := applyPolicyCaps(ctx, p, bopts, so); err != nil {
+				return nil, err
+			}
+		}


I think it could poitentially reject existing policies that never request caps?

Maybe we can treat an undefined or empty decision during caps probing as empty caps?

If the policies do not define caps then it is as good as having caps false. If one policy requires caps and others don't (explicitly or not) then caps still needed.

crazy-max · 2026-06-10T14:56:35Z

+	server := httpserver.NewTestServer(map[string]*httpserver.Response{
+		"/file": resp,
+	})
+	defer server.Close()
+
+	dockerfile := []byte(`
+FROM busybox:latest
+RUN wget -O- ` + server.URL + `/file
+`)


seems to run through the normal build path because server.URL is a loopback/local endpoint. With the new proxy behavior local services are only reachable in the host+proxy case iiuc

not sure if we can have a proxy-reachable non-loopback test endpoint

This always fails anyway, but test checks that it fails with "policy deny".

Extend testBuildPolicyCapsProxy so that instead of only checking that the network proxy was enabled, the build runs a command that makes an HTTP request to a local test server. The policy denies that URL as an HTTP source, so the test now verifies that exec traffic actually flows through the proxy and is subject to source policy, including the deny message and DENY decision in the build output. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>

github-actions Bot assigned tonistiigi Jun 10, 2026

github-actions Bot added area/build area/dependencies area/tests area/policy labels Jun 10, 2026

tonistiigi added this to the v0.35.0 milestone Jun 10, 2026

tonistiigi marked this pull request as ready for review June 10, 2026 06:51

crazy-max force-pushed the exec-proxy-support branch from 8cd1c2a to e08f0fc Compare June 10, 2026 13:04

github-actions Bot removed the area/dependencies label Jun 10, 2026

crazy-max reviewed Jun 10, 2026

View reviewed changes

tonistiigi force-pushed the exec-proxy-support branch from e08f0fc to 25db0fb Compare June 10, 2026 15:59

crazy-max approved these changes Jun 10, 2026

View reviewed changes

tonistiigi merged commit 4fa5bb2 into docker:master Jun 10, 2026
288 of 291 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

policy: enable proxy network from source policy caps#3895

policy: enable proxy network from source policy caps#3895
tonistiigi merged 2 commits into
docker:masterfrom
tonistiigi:exec-proxy-support

tonistiigi commented Jun 10, 2026

Uh oh!

crazy-max Jun 10, 2026

Uh oh!

tonistiigi Jun 10, 2026

Uh oh!

crazy-max Jun 10, 2026

Uh oh!

tonistiigi Jun 10, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

tonistiigi commented Jun 10, 2026

Uh oh!

crazy-max Jun 10, 2026

Choose a reason for hiding this comment

Uh oh!

tonistiigi Jun 10, 2026

Choose a reason for hiding this comment

Uh oh!

crazy-max Jun 10, 2026

Choose a reason for hiding this comment

Uh oh!

tonistiigi Jun 10, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants