Skip to content

Commit

Permalink
policies: split out ostree policies
Browse files Browse the repository at this point in the history
We want to be more strict for ostree so let's keep the old policies
there.
  • Loading branch information
supakeen committed Apr 3, 2024
1 parent 1473909 commit 6e082fe
Show file tree
Hide file tree
Showing 6 changed files with 67 additions and 10 deletions.
12 changes: 10 additions & 2 deletions pkg/distro/fedora/imagetype.go
Original file line number Diff line number Diff line change
Expand Up @@ -389,12 +389,20 @@ func (t *imageType) checkOptions(bp *blueprint.Blueprint, options distro.ImageOp
return nil, err
}

err = blueprint.CheckDirectoryCustomizationsPolicy(dc, policies.CustomDirectoriesPolicies)
dcp := policies.CustomDirectoriesPolicies
fcp := policies.CustomFilesPolicies

if t.rpmOstree {
dcp = policies.OstreeCustomDirectoriesPolicies
fcp = policies.OstreeCustomFilesPolicies
}

err = blueprint.CheckDirectoryCustomizationsPolicy(dc, dcp)
if err != nil {
return nil, err
}

err = blueprint.CheckFileCustomizationsPolicy(fc, policies.CustomFilesPolicies)
err = blueprint.CheckFileCustomizationsPolicy(fc, fcp)
if err != nil {
return nil, err
}
Expand Down
13 changes: 11 additions & 2 deletions pkg/distro/rhel/rhel10/options.go
Original file line number Diff line number Diff line change
Expand Up @@ -46,12 +46,21 @@ func checkOptions(t *rhel.ImageType, bp *blueprint.Blueprint, options distro.Ima
if err != nil {
return warnings, err
}
err = blueprint.CheckDirectoryCustomizationsPolicy(dc, policies.CustomDirectoriesPolicies)

dcp := policies.CustomDirectoriesPolicies
fcp := policies.CustomFilesPolicies

if t.rpmOstree {

Check failure on line 53 in pkg/distro/rhel/rhel10/options.go

View workflow job for this annotation

GitHub Actions / ⌨ Lint

t.rpmOstree undefined (type *rhel.ImageType has no field or method rpmOstree) (typecheck)

Check failure on line 53 in pkg/distro/rhel/rhel10/options.go

View workflow job for this annotation

GitHub Actions / ⌨ Lint

t.rpmOstree undefined (type *rhel.ImageType has no field or method rpmOstree)) (typecheck)
dcp = policies.OstreeCustomDirectoriesPolicies
fcp = policies.OstreeCustomFilesPolicies
}

err = blueprint.CheckDirectoryCustomizationsPolicy(dc, dcp)
if err != nil {
return warnings, err
}

err = blueprint.CheckFileCustomizationsPolicy(fc, policies.CustomFilesPolicies)
err = blueprint.CheckFileCustomizationsPolicy(fc, fcp)
if err != nil {
return warnings, err
}
Expand Down
13 changes: 11 additions & 2 deletions pkg/distro/rhel/rhel9/options.go
Original file line number Diff line number Diff line change
Expand Up @@ -159,12 +159,21 @@ func checkOptions(t *rhel.ImageType, bp *blueprint.Blueprint, options distro.Ima
if err != nil {
return warnings, err
}
err = blueprint.CheckDirectoryCustomizationsPolicy(dc, policies.CustomDirectoriesPolicies)

dcp := policies.CustomDirectoriesPolicies
fcp := policies.CustomFilesPolicies

if t.rpmOstree {

Check failure on line 166 in pkg/distro/rhel/rhel9/options.go

View workflow job for this annotation

GitHub Actions / ⌨ Lint

t.rpmOstree undefined (type *rhel.ImageType has no field or method rpmOstree) (typecheck)

Check failure on line 166 in pkg/distro/rhel/rhel9/options.go

View workflow job for this annotation

GitHub Actions / ⌨ Lint

t.rpmOstree undefined (type *rhel.ImageType has no field or method rpmOstree)) (typecheck)
dcp = policies.OstreeCustomDirectoriesPolicies
fcp = policies.OstreeCustomFilesPolicies
}

err = blueprint.CheckDirectoryCustomizationsPolicy(dc, dcp)
if err != nil {
return warnings, err
}

err = blueprint.CheckFileCustomizationsPolicy(fc, policies.CustomFilesPolicies)
err = blueprint.CheckFileCustomizationsPolicy(fc, fcp)
if err != nil {
return warnings, err
}
Expand Down
7 changes: 5 additions & 2 deletions pkg/distro/rhel7/imagetype.go
Original file line number Diff line number Diff line change
Expand Up @@ -287,12 +287,15 @@ func (t *imageType) checkOptions(bp *blueprint.Blueprint, options distro.ImageOp
return warnings, err
}

err = blueprint.CheckDirectoryCustomizationsPolicy(dc, policies.CustomDirectoriesPolicies)
dcp := policies.CustomDirectoriesPolicies
fcp := policies.CustomFilesPolicies

err = blueprint.CheckDirectoryCustomizationsPolicy(dc, dcp)
if err != nil {
return warnings, err
}

err = blueprint.CheckFileCustomizationsPolicy(fc, policies.CustomFilesPolicies)
err = blueprint.CheckFileCustomizationsPolicy(fc, fcp)
if err != nil {
return warnings, err
}
Expand Down
13 changes: 11 additions & 2 deletions pkg/distro/rhel8/imagetype.go
Original file line number Diff line number Diff line change
Expand Up @@ -436,12 +436,21 @@ func (t *imageType) checkOptions(bp *blueprint.Blueprint, options distro.ImageOp
if err != nil {
return warnings, err
}
err = blueprint.CheckDirectoryCustomizationsPolicy(dc, policies.CustomDirectoriesPolicies)

dcp := policies.CustomDirectoriesPolicies
fcp := policies.CustomFilesPolicies

if t.rpmOstree {
dcp = policies.OstreeCustomDirectoriesPolicies
fcp = policies.OstreeCustomFilesPolicies
}

err = blueprint.CheckDirectoryCustomizationsPolicy(dc, dcp)
if err != nil {
return warnings, err
}

err = blueprint.CheckFileCustomizationsPolicy(fc, policies.CustomFilesPolicies)
err = blueprint.CheckFileCustomizationsPolicy(fc, fcp)
if err != nil {
return warnings, err
}
Expand Down
19 changes: 19 additions & 0 deletions pkg/policies/policies.go
Original file line number Diff line number Diff line change
Expand Up @@ -92,3 +92,22 @@ var OstreeMountpointPolicies = pathpolicy.NewPathPolicies(map[string]pathpolicy.
"/var/usrlocal": {Deny: true},
"/var/mnt": {Deny: true},
})

// CustomDirectoriesPolicies for ostree
var OstreeCustomDirectoriesPolicies = pathpolicy.NewPathPolicies(map[string]pathpolicy.PathPolicy{
"/": {Deny: true},
"/etc": {},
})

// CustomFilesPolicies for ostree
var OstreeCustomFilesPolicies = pathpolicy.NewPathPolicies(map[string]pathpolicy.PathPolicy{
"/": {Deny: true},
"/etc": {},
"/root": {},
"/usr/local/bin": {},
"/usr/local/sbin": {},
"/etc/fstab": {Deny: true},
"/etc/shadow": {Deny: true},
"/etc/passwd": {Deny: true},
"/etc/group": {Deny: true},
})

0 comments on commit 6e082fe

Please sign in to comment.