From 151d5a9125a9e68a1bb7e9435759b3f115baab14 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Hozza?= <thozza@redhat.com>
Date: Wed, 25 Oct 2023 09:10:40 +0200
Subject: [PATCH] Deny additional mountpoint paths symlinked to /run
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Tomáš Hozza <thozza@redhat.com>
---
 internal/pathpolicy/policies.go      | 4 ++++
 internal/pathpolicy/policies_test.go | 3 +++
 2 files changed, 7 insertions(+)

diff --git a/internal/pathpolicy/policies.go b/internal/pathpolicy/policies.go
index 4f9ef7b307..558a63b5cd 100644
--- a/internal/pathpolicy/policies.go
+++ b/internal/pathpolicy/policies.go
@@ -24,6 +24,10 @@ var MountpointPolicies = NewPathPolicies(map[string]PathPolicy{
 	"/boot/efi": {Deny: true},
 	// used by systemd / ostree
 	"/sysroot": {Deny: true},
+	// symlink to ../run which is on tmpfs
+	"/var/run": {Deny: true},
+	// symlink to ../run/lock which is on tmpfs
+	"/var/lock": {Deny: true},
 })
 
 // CustomDirectoriesPolicies is a set of default policies for custom directories
diff --git a/internal/pathpolicy/policies_test.go b/internal/pathpolicy/policies_test.go
index f2639e1dda..0fbd624bcb 100644
--- a/internal/pathpolicy/policies_test.go
+++ b/internal/pathpolicy/policies_test.go
@@ -36,6 +36,9 @@ func TestMountpointPolicies(t *testing.T) {
 		{"/var", true},
 		{"/var/lib", true},
 		{"/var/log", true},
+		{"/var/tmp", true},
+		{"/var/run", false},
+		{"/var/lock", false},
 
 		{"/opt", true},
 		{"/opt/fancyapp", true},