filesystem/policy:added ostree specific mountpoints

Ostree specific filesystem policy to prevent users form accidentally creating custom filesystems that can ovewrite the systems filesystem. Signed-off-by: Sayan Paul <[email protected]>
osbuild · Dec 13, 2023 · e335b46 · e335b46
1 parent 20808e9
commit e335b46
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 0 deletions.
diff --git a/internal/pathpolicy/policies.go b/internal/pathpolicy/policies.go
@@ -46,3 +46,16 @@ var CustomFilesPolicies = NewPathPolicies(map[string]PathPolicy{
 	"/etc/passwd": {Deny: true},
 	"/etc/group":  {Deny: true},
 })
+
+// MountpointPolicies for ostree
+var OstreeMountpointPolicies = NewPathPolicies(map[string]PathPolicy{
+	"/":             {},
+	"/ostree":       {Deny: true},
+	"/home":         {Deny: true},
+	"/var/home":     {Deny: true},
+	"/var/opt":      {Deny: true},
+	"/var/srv":      {Deny: true},
+	"/var/roothome": {Deny: true},
+	"/var/usrlocal": {Deny: true},
+	"/var/mnt":      {Deny: true},
+})
diff --git a/internal/pathpolicy/policies_test.go b/internal/pathpolicy/policies_test.go
@@ -78,3 +78,36 @@ func TestMountpointPolicies(t *testing.T) {
 		})
 	}
 }
+
+func TestOstreeMountpointPolicies(t *testing.T) {
+	type testCase struct {
+		path    string
+		allowed bool
+	}
+
+	testCases := []testCase{
+		{"/ostree", false},
+		{"/ostree/foo", false},
+
+		{"/foo", true},
+		{"/foo/bar", true},
+
+		{"/var", true},
+		{"/var/myfiles", true},
+		{"/var/roothome", false},
+
+		{"/home", false},
+		{"/home/shadowman", false},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.path, func(t *testing.T) {
+			err := OstreeMountpointPolicies.Check(tc.path)
+			if err != nil && tc.allowed {
+				t.Errorf("expected %s to be allowed, but got error: %v", tc.path, err)
+			} else if err == nil && !tc.allowed {
+				t.Errorf("expected %s to be denied, but got no error", tc.path)
+			}
+		})
+	}
+}