Skip to content

Commit

Permalink
policies: widen allowed filepaths
Browse files Browse the repository at this point in the history 
Allow writing everywhere aside from things that are probably the wrong
places to write things as the distribution expects to manage those.
  • Loading branch information
@supakeen
supakeen committed Mar 22, 2024
1 parent c8ff1f0 commit b0e5534
Showing 1 changed file with 40 additions and 11 deletions.
51 changes: 40 additions & 11 deletions pkg/policies/policies.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,21 +36,50 @@ var MountpointPolicies = pathpolicy.NewPathPolicies(map[string]pathpolicy.PathPo

// CustomDirectoriesPolicies is a set of default policies for custom directories
var CustomDirectoriesPolicies = pathpolicy.NewPathPolicies(map[string]pathpolicy.PathPolicy{
"/": {Deny: true},
"/etc": {},
"/": {},
"/bin": {Deny: true},
"/boot": {Deny: true},
"/dev": {Deny: true},
"/lib": {Deny: true},
"/lib64": {Deny: true},
"/lost+found": {Deny: true},
"/proc": {Deny: true},
"/run": {Deny: true},
"/sbin": {Deny: true},
"/sys": {Deny: true},
"/sysroot": {Deny: true},
"/tmp": {Deny: true},
"/usr": {Deny: true},
"/var/run": {Deny: true},
"/var/tmp": {Deny: true},
"/boot": {Deny: true},

Check failure on line 55 in pkg/policies/policies.go

View workflow job for this annotation

GitHub Actions / ⌨ Lint 

duplicate key "/boot" in map literal

Check failure on line 55 in pkg/policies/policies.go

View workflow job for this annotation

GitHub Actions / ⌨ Lint 

duplicate key "/boot" in map literal

Check failure on line 55 in pkg/policies/policies.go

View workflow job for this annotation

GitHub Actions / ⌨ Lint 

duplicate key "/boot" in map literal
"/efi": {Deny: true},
})

// CustomFilesPolicies is a set of default policies for custom files
var CustomFilesPolicies = pathpolicy.NewPathPolicies(map[string]pathpolicy.PathPolicy{
"/": {Deny: true},
"/etc": {},
"/root": {},
"/usr/local/bin": {},
"/usr/local/sbin": {},
"/etc/fstab": {Deny: true},
"/etc/shadow": {Deny: true},
"/etc/passwd": {Deny: true},
"/etc/group": {Deny: true},
"/": {},
"/bin": {Deny: true},
"/boot": {Deny: true},
"/boot": {Deny: true},

Check failure on line 64 in pkg/policies/policies.go

View workflow job for this annotation

GitHub Actions / ⌨ Lint 

duplicate key "/boot" in map literal) (typecheck)

Check failure on line 64 in pkg/policies/policies.go

View workflow job for this annotation

GitHub Actions / ⌨ Lint 

duplicate key "/boot" in map literal) (typecheck)

Check failure on line 64 in pkg/policies/policies.go

View workflow job for this annotation

GitHub Actions / ⌨ Lint 

duplicate key "/boot" in map literal) (typecheck)
"/dev": {Deny: true},
"/efi": {Deny: true},
"/etc/fstab": {Deny: true},
"/etc/group": {Deny: true},
"/etc/passwd": {Deny: true},
"/etc/shadow": {Deny: true},
"/lib": {Deny: true},
"/lib64": {Deny: true},
"/lost+found": {Deny: true},
"/proc": {Deny: true},
"/run": {Deny: true},
"/sbin": {Deny: true},
"/sys": {Deny: true},
"/sysroot": {Deny: true},
"/tmp": {Deny: true},
"/usr": {Deny: true},
"/var/run": {Deny: true},
"/var/tmp": {Deny: true},
})

// MountpointPolicies for ostree
Expand Down

0 comments on commit b0e5534

Please sign in to comment.