From 32d6b1a5d531b32b0d62161a96f556856b950024 Mon Sep 17 00:00:00 2001 From: Sayan Paul Date: Tue, 5 Dec 2023 17:53:08 +0530 Subject: [PATCH] filesystem/policy:added ostree specific mountpoints Ostree specific filesystem policy to prevent users form accidentally creating custom filesystems that can ovewrite the systems filesystem. Signed-off-by: Sayan Paul --- internal/pathpolicy/policies.go | 6 ++++++ internal/pathpolicy/policies_test.go | 32 ++++++++++++++++++++++++++++ 2 files changed, 38 insertions(+) diff --git a/internal/pathpolicy/policies.go b/internal/pathpolicy/policies.go index 558a63b5cd..7d9c42ff4b 100644 --- a/internal/pathpolicy/policies.go +++ b/internal/pathpolicy/policies.go @@ -46,3 +46,9 @@ var CustomFilesPolicies = NewPathPolicies(map[string]PathPolicy{ "/etc/passwd": {Deny: true}, "/etc/group": {Deny: true}, }) + +// MountpointPolicies for ostree +var OstreeMountpointPolicies = NewPathPolicies(map[string]PathPolicy{ + "/": {}, + "/ostree": {Deny: true}, +}) diff --git a/internal/pathpolicy/policies_test.go b/internal/pathpolicy/policies_test.go index 0fbd624bcb..604e8d4619 100644 --- a/internal/pathpolicy/policies_test.go +++ b/internal/pathpolicy/policies_test.go @@ -78,3 +78,35 @@ func TestMountpointPolicies(t *testing.T) { }) } } + +func TestOstreeMountpointPolicies(t *testing.T) { + type testCase struct { + path string + allowed bool + } + + testCases := []testCase{ + {"/ostree", false}, + {"/ostree/foo", false}, + + {"/foo", true}, + {"/foo/bar", true}, + + {"/var", true}, + {"/var/roothome", true}, + + {"/home", true}, + {"/home/shadowman", true}, + } + + for _, tc := range testCases { + t.Run(tc.path, func(t *testing.T) { + err := OstreeMountpointPolicies.Check(tc.path) + if err != nil && tc.allowed { + t.Errorf("expected %s to be allowed, but got error: %v", tc.path, err) + } else if err == nil && !tc.allowed { + t.Errorf("expected %s to be denied, but got no error", tc.path) + } + }) + } +}