filesystem/policy:added ostree specific mountpoints

Ostree specific filesystem policy to prevent users form
accidentally  creating custom filesystems that can ovewrite the
systems filesystem.

Signed-off-by: Sayan Paul <[email protected]>

internal/pathpolicy/policies.go

@@ -46,3 +46,9 @@ var CustomFilesPolicies = NewPathPolicies(map[string]PathPolicy{
 	"/etc/passwd": {Deny: true},
 	"/etc/group":  {Deny: true},
 })
+
+// MountpointPolicies for ostree
+var OstreeMountpointPolicies = NewPathPolicies(map[string]PathPolicy{
+	"/":       {},
+	"/ostree": {Deny: true},
+})

internal/pathpolicy/policies_test.go

@@ -78,3 +78,35 @@ func TestMountpointPolicies(t *testing.T) {
 		})
 	}
 }
+
+func TestOstreeMountpointPolicies(t *testing.T) {
+	type testCase struct {
+		path    string
+		allowed bool
+	}
+
+	testCases := []testCase{
+		{"/ostree", false},
+		{"/ostree/foo", false},
+
+		{"/foo", true},
+		{"/foo/bar", true},
+
+		{"/var", true},
+		{"/var/roothome", true},
+
+		{"/home", true},
+		{"/home/shadowman", true},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.path, func(t *testing.T) {
+			err := OstreeMountpointPolicies.Check(tc.path)
+			if err != nil && tc.allowed {
+				t.Errorf("expected %s to be allowed, but got error: %v", tc.path, err)
+			} else if err == nil && !tc.allowed {
+				t.Errorf("expected %s to be denied, but got no error", tc.path)
+			}
+		})
+	}
+}