From d673888239411c85a6c82e4d24bc4d18fbcfc805 Mon Sep 17 00:00:00 2001 From: Sayan Paul Date: Mon, 27 Nov 2023 15:53:16 +0530 Subject: [PATCH] filesystem/policy:added ostree specific mountpoints Ostree specific filesystem policy to prevent users form accidentally creating custom filesystems that can ovewrite the systems filesystem. Signed-off-by: Sayan Paul --- internal/pathpolicy/path_policy.go | 9 +++++++++ internal/pathpolicy/policies.go | 13 +++++++++++-- internal/pathpolicy/policies_test.go | 14 +++++++++++++- 3 files changed, 33 insertions(+), 3 deletions(-) diff --git a/internal/pathpolicy/path_policy.go b/internal/pathpolicy/path_policy.go index 423a5751b1..1b3a65527d 100644 --- a/internal/pathpolicy/path_policy.go +++ b/internal/pathpolicy/path_policy.go @@ -24,6 +24,15 @@ func NewPathPolicies(entries map[string]PathPolicy) *PathPolicies { return NewPathTrieFromMap(noType) } +func mergePolicyPath(source map[string]PathPolicy, dest map[string]PathPolicy) map[string]PathPolicy { + for k, v := range source { + if _, exists := dest[k]; !exists { + dest[k] = v + } + } + return dest +} + // Check a given path against the PathPolicies func (pol *PathPolicies) Check(fsPath string) error { diff --git a/internal/pathpolicy/policies.go b/internal/pathpolicy/policies.go index 558a63b5cd..63cc30b857 100644 --- a/internal/pathpolicy/policies.go +++ b/internal/pathpolicy/policies.go @@ -1,7 +1,7 @@ package pathpolicy // MountpointPolicies is a set of default mountpoint policies used for filesystem customizations -var MountpointPolicies = NewPathPolicies(map[string]PathPolicy{ +var defaultMountpointPolicies = map[string]PathPolicy{ "/": {}, // /etc must be on the root filesystem "/etc": {Deny: true}, @@ -28,7 +28,13 @@ var MountpointPolicies = NewPathPolicies(map[string]PathPolicy{ "/var/run": {Deny: true}, // symlink to ../run/lock which is on tmpfs "/var/lock": {Deny: true}, -}) +} + +var ostreeMountpointPolicyAddons = map[string]PathPolicy{ + "/ostree": {Deny: true}, +} + +var MountpointPolicies = NewPathPolicies(defaultMountpointPolicies) // CustomDirectoriesPolicies is a set of default policies for custom directories var CustomDirectoriesPolicies = NewPathPolicies(map[string]PathPolicy{ @@ -46,3 +52,6 @@ var CustomFilesPolicies = NewPathPolicies(map[string]PathPolicy{ "/etc/passwd": {Deny: true}, "/etc/group": {Deny: true}, }) + +// MountpointPolicies for ostree, which is sum of the default mountpoint policies and ostree addons. +var OstreeMountpointPolicies = NewPathPolicies(mergePolicyPath(defaultMountpointPolicies, ostreeMountpointPolicyAddons)) diff --git a/internal/pathpolicy/policies_test.go b/internal/pathpolicy/policies_test.go index 0fbd624bcb..26c8daa5c2 100644 --- a/internal/pathpolicy/policies_test.go +++ b/internal/pathpolicy/policies_test.go @@ -1,6 +1,10 @@ package pathpolicy -import "testing" +import ( + "testing" + + "github.com/stretchr/testify/assert" +) func TestMountpointPolicies(t *testing.T) { type testCase struct { @@ -78,3 +82,11 @@ func TestMountpointPolicies(t *testing.T) { }) } } + +func TestPathPolicyMerge(t *testing.T) { + _ = mergePolicyPath(defaultMountpointPolicies, ostreeMountpointPolicyAddons) + _, ok := defaultMountpointPolicies["/ostree"] + assert.False(t, ok, "/ostree found in defaultMountpointPolicies") + _, ok = ostreeMountpointPolicyAddons["/ostree"] + assert.True(t, ok, "/ostree not found in ostreeMountpointPolicy") +}