filesystem/policy:added ostree specific mountpoints

Ostree specific filesystem policy to prevent users form accidentally creating custom filesystems that can ovewrite the systems filesystem. Signed-off-by: Sayan Paul <[email protected]>
osbuild · Dec 4, 2023 · d673888 · d673888
1 parent f18b991
commit d673888
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 3 deletions.
diff --git a/internal/pathpolicy/path_policy.go b/internal/pathpolicy/path_policy.go
@@ -24,6 +24,15 @@ func NewPathPolicies(entries map[string]PathPolicy) *PathPolicies {
 	return NewPathTrieFromMap(noType)
 }
 
+func mergePolicyPath(source map[string]PathPolicy, dest map[string]PathPolicy) map[string]PathPolicy {
+	for k, v := range source {
+		if _, exists := dest[k]; !exists {
+			dest[k] = v
+		}
+	}
+	return dest
+}
+
 // Check a given path against the PathPolicies
 func (pol *PathPolicies) Check(fsPath string) error {
 

diff --git a/internal/pathpolicy/policies.go b/internal/pathpolicy/policies.go
@@ -1,7 +1,7 @@
 package pathpolicy
 
 // MountpointPolicies is a set of default mountpoint policies used for filesystem customizations
-var MountpointPolicies = NewPathPolicies(map[string]PathPolicy{
+var defaultMountpointPolicies = map[string]PathPolicy{
 	"/": {},
 	// /etc must be on the root filesystem
 	"/etc": {Deny: true},
@@ -28,7 +28,13 @@ var MountpointPolicies = NewPathPolicies(map[string]PathPolicy{
 	"/var/run": {Deny: true},
 	// symlink to ../run/lock which is on tmpfs
 	"/var/lock": {Deny: true},
-})
+}
+
+var ostreeMountpointPolicyAddons = map[string]PathPolicy{
+	"/ostree": {Deny: true},
+}
+
+var MountpointPolicies = NewPathPolicies(defaultMountpointPolicies)
 
 // CustomDirectoriesPolicies is a set of default policies for custom directories
 var CustomDirectoriesPolicies = NewPathPolicies(map[string]PathPolicy{
@@ -46,3 +52,6 @@ var CustomFilesPolicies = NewPathPolicies(map[string]PathPolicy{
 	"/etc/passwd": {Deny: true},
 	"/etc/group":  {Deny: true},
 })
+
+// MountpointPolicies for ostree, which is sum of the default mountpoint policies and ostree addons.
+var OstreeMountpointPolicies = NewPathPolicies(mergePolicyPath(defaultMountpointPolicies, ostreeMountpointPolicyAddons))
diff --git a/internal/pathpolicy/policies_test.go b/internal/pathpolicy/policies_test.go
@@ -1,6 +1,10 @@
 package pathpolicy
 
-import "testing"
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
 
 func TestMountpointPolicies(t *testing.T) {
 	type testCase struct {
@@ -78,3 +82,11 @@ func TestMountpointPolicies(t *testing.T) {
 		})
 	}
 }
+
+func TestPathPolicyMerge(t *testing.T) {
+	_ = mergePolicyPath(defaultMountpointPolicies, ostreeMountpointPolicyAddons)
+	_, ok := defaultMountpointPolicies["/ostree"]
+	assert.False(t, ok, "/ostree found in defaultMountpointPolicies")
+	_, ok = ostreeMountpointPolicyAddons["/ostree"]
+	assert.True(t, ok, "/ostree not found in ostreeMountpointPolicy")
+}