From f6ca9f940d4d1e895dd873ad624c15d6944bcc5c Mon Sep 17 00:00:00 2001 From: Sayan Paul Date: Tue, 5 Dec 2023 17:53:08 +0530 Subject: [PATCH] filesystem/policy:added ostree specific mountpoints Ostree specific filesystem policy to prevent users form accidentally creating custom filesystems that can ovewrite the systems filesystem. Signed-off-by: Sayan Paul --- internal/pathpolicy/policies.go | 6 ++++++ internal/pathpolicy/policies_test.go | 21 +++++++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/internal/pathpolicy/policies.go b/internal/pathpolicy/policies.go index 558a63b5cd..7d9c42ff4b 100644 --- a/internal/pathpolicy/policies.go +++ b/internal/pathpolicy/policies.go @@ -46,3 +46,9 @@ var CustomFilesPolicies = NewPathPolicies(map[string]PathPolicy{ "/etc/passwd": {Deny: true}, "/etc/group": {Deny: true}, }) + +// MountpointPolicies for ostree +var OstreeMountpointPolicies = NewPathPolicies(map[string]PathPolicy{ + "/": {}, + "/ostree": {Deny: true}, +}) diff --git a/internal/pathpolicy/policies_test.go b/internal/pathpolicy/policies_test.go index 0fbd624bcb..e061e8e653 100644 --- a/internal/pathpolicy/policies_test.go +++ b/internal/pathpolicy/policies_test.go @@ -78,3 +78,24 @@ func TestMountpointPolicies(t *testing.T) { }) } } + +func TestOstreeMountpointPolicies(t *testing.T) { + type testCase struct { + path string + allowed bool + } + + testCases := []testCase{ + {"/ostree", false}, + {"/ostree/foo", false}, + } + + for _, tc := range testCases { + t.Run(tc.path, func(t *testing.T) { + err := OstreeMountpointPolicies.Check(tc.path) + if err == nil && !tc.allowed { + t.Errorf("expected %s to be denied, but got no error", tc.path) + } + }) + } +}