diff --git a/internal/pathpolicy/path_policy.go b/internal/pathpolicy/path_policy.go index 423a5751b1..1719199d8e 100644 --- a/internal/pathpolicy/path_policy.go +++ b/internal/pathpolicy/path_policy.go @@ -24,6 +24,15 @@ func NewPathPolicies(entries map[string]PathPolicy) *PathPolicies { return NewPathTrieFromMap(noType) } +func mergePolicyPath(entry_1 map[string]PathPolicy, entry_2 map[string]PathPolicy) map[string]PathPolicy { + for k, v := range entry_2 { + if _, exists := entry_1[k]; !exists { + entry_1[k] = v + } + } + return entry_1 +} + // Check a given path against the PathPolicies func (pol *PathPolicies) Check(fsPath string) error { diff --git a/internal/pathpolicy/policies.go b/internal/pathpolicy/policies.go index 558a63b5cd..63cc30b857 100644 --- a/internal/pathpolicy/policies.go +++ b/internal/pathpolicy/policies.go @@ -1,7 +1,7 @@ package pathpolicy // MountpointPolicies is a set of default mountpoint policies used for filesystem customizations -var MountpointPolicies = NewPathPolicies(map[string]PathPolicy{ +var defaultMountpointPolicies = map[string]PathPolicy{ "/": {}, // /etc must be on the root filesystem "/etc": {Deny: true}, @@ -28,7 +28,13 @@ var MountpointPolicies = NewPathPolicies(map[string]PathPolicy{ "/var/run": {Deny: true}, // symlink to ../run/lock which is on tmpfs "/var/lock": {Deny: true}, -}) +} + +var ostreeMountpointPolicyAddons = map[string]PathPolicy{ + "/ostree": {Deny: true}, +} + +var MountpointPolicies = NewPathPolicies(defaultMountpointPolicies) // CustomDirectoriesPolicies is a set of default policies for custom directories var CustomDirectoriesPolicies = NewPathPolicies(map[string]PathPolicy{ @@ -46,3 +52,6 @@ var CustomFilesPolicies = NewPathPolicies(map[string]PathPolicy{ "/etc/passwd": {Deny: true}, "/etc/group": {Deny: true}, }) + +// MountpointPolicies for ostree, which is sum of the default mountpoint policies and ostree addons. +var OstreeMountpointPolicies = NewPathPolicies(mergePolicyPath(defaultMountpointPolicies, ostreeMountpointPolicyAddons))