From b0e5534f42c35c64e3a74c58101e9c020909bf86 Mon Sep 17 00:00:00 2001
From: Simon de Vlieger <cmdr@supakeen.com>
Date: Fri, 22 Mar 2024 10:19:31 +0100
Subject: [PATCH] policies: widen allowed filepaths

Allow writing everywhere aside from things that are probably the wrong
places to write things as the distribution expects to manage those.
---
 pkg/policies/policies.go | 51 +++++++++++++++++++++++++++++++---------
 1 file changed, 40 insertions(+), 11 deletions(-)

diff --git a/pkg/policies/policies.go b/pkg/policies/policies.go
index 7d15955715..802efa9bd0 100644
--- a/pkg/policies/policies.go
+++ b/pkg/policies/policies.go
@@ -36,21 +36,50 @@ var MountpointPolicies = pathpolicy.NewPathPolicies(map[string]pathpolicy.PathPo
 
 // CustomDirectoriesPolicies is a set of default policies for custom directories
 var CustomDirectoriesPolicies = pathpolicy.NewPathPolicies(map[string]pathpolicy.PathPolicy{
-	"/":    {Deny: true},
-	"/etc": {},
+	"/":           {},
+	"/bin":        {Deny: true},
+	"/boot":       {Deny: true},
+	"/dev":        {Deny: true},
+	"/lib":        {Deny: true},
+	"/lib64":      {Deny: true},
+	"/lost+found": {Deny: true},
+	"/proc":       {Deny: true},
+	"/run":        {Deny: true},
+	"/sbin":       {Deny: true},
+	"/sys":        {Deny: true},
+	"/sysroot":    {Deny: true},
+	"/tmp":        {Deny: true},
+	"/usr":        {Deny: true},
+	"/var/run":    {Deny: true},
+	"/var/tmp":    {Deny: true},
+	"/boot":       {Deny: true},
+	"/efi":        {Deny: true},
 })
 
 // CustomFilesPolicies is a set of default policies for custom files
 var CustomFilesPolicies = pathpolicy.NewPathPolicies(map[string]pathpolicy.PathPolicy{
-	"/":               {Deny: true},
-	"/etc":            {},
-	"/root":           {},
-	"/usr/local/bin":  {},
-	"/usr/local/sbin": {},
-	"/etc/fstab":      {Deny: true},
-	"/etc/shadow":     {Deny: true},
-	"/etc/passwd":     {Deny: true},
-	"/etc/group":      {Deny: true},
+	"/":           {},
+	"/bin":        {Deny: true},
+	"/boot":       {Deny: true},
+	"/boot":       {Deny: true},
+	"/dev":        {Deny: true},
+	"/efi":        {Deny: true},
+	"/etc/fstab":  {Deny: true},
+	"/etc/group":  {Deny: true},
+	"/etc/passwd": {Deny: true},
+	"/etc/shadow": {Deny: true},
+	"/lib":        {Deny: true},
+	"/lib64":      {Deny: true},
+	"/lost+found": {Deny: true},
+	"/proc":       {Deny: true},
+	"/run":        {Deny: true},
+	"/sbin":       {Deny: true},
+	"/sys":        {Deny: true},
+	"/sysroot":    {Deny: true},
+	"/tmp":        {Deny: true},
+	"/usr":        {Deny: true},
+	"/var/run":    {Deny: true},
+	"/var/tmp":    {Deny: true},
 })
 
 // MountpointPolicies for ostree