From 319aded3d334f96a6f47046ff91e7b6e570d06b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Hozza?= Date: Fri, 20 Oct 2023 16:05:57 +0200 Subject: [PATCH] Relax mountpoint policy to allow arbitrary custom paths MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Any path, which is not explicitly disallowed, can now be specified as a separate mountpoint. Signed-off-by: Tomáš Hozza --- internal/pathpolicy/policies.go | 12 ++---------- internal/pathpolicy/policies_test.go | 11 +++++++---- 2 files changed, 9 insertions(+), 14 deletions(-) diff --git a/internal/pathpolicy/policies.go b/internal/pathpolicy/policies.go index 586ae77950..4f9ef7b307 100644 --- a/internal/pathpolicy/policies.go +++ b/internal/pathpolicy/policies.go @@ -2,20 +2,12 @@ package pathpolicy // MountpointPolicies is a set of default mountpoint policies used for filesystem customizations var MountpointPolicies = NewPathPolicies(map[string]PathPolicy{ - "/": {Exact: true}, - "/boot": {Exact: true}, - "/var": {}, - "/opt": {}, - "/srv": {}, + "/": {}, // /etc must be on the root filesystem "/etc": {Deny: true}, // NB: any mountpoints under /usr are not supported by systemd fstab // generator in initram before the switch-root, so we don't allow them. - "/usr": {Exact: true}, - "/app": {}, - "/data": {}, - "/home": {}, - "/tmp": {}, + "/usr": {Exact: true}, // API filesystems "/sys": {Deny: true}, "/proc": {Deny: true}, diff --git a/internal/pathpolicy/policies_test.go b/internal/pathpolicy/policies_test.go index c903c42ae8..f2639e1dda 100644 --- a/internal/pathpolicy/policies_test.go +++ b/internal/pathpolicy/policies_test.go @@ -12,22 +12,25 @@ func TestMountpointPolicies(t *testing.T) { {"/", true}, {"/bin", false}, - {"/custom", false}, {"/dev", false}, {"/etc", false}, {"/lib", false}, {"/lib64", false}, {"/lost+found", false}, - {"/mnt", false}, {"/proc", false}, - {"/root", false}, {"/run", false}, {"/sbin", false}, {"/sys", false}, {"/sysroot", false}, + {"/mnt", true}, + {"/root", true}, + + {"/custom", true}, + {"/custom/dir", true}, + {"/boot", true}, - {"/boot/dir", false}, + {"/boot/dir", true}, {"/boot/efi", false}, {"/var", true},