Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

policies: widen allowed filepaths #540

Merged
merged 2 commits into from
Apr 5, 2024
Merged

policies: widen allowed filepaths #540

merged 2 commits into from
Apr 5, 2024

Conversation

supakeen
Copy link
Member

Allow writing files into /home, /srv, /opt. Allow writing directories into /srv and /opt but not /home.

@supakeen supakeen changed the title policies: allow /home, /srv, and /opt policies: widen allowed filepaths Mar 22, 2024
@supakeen supakeen force-pushed the allow-home-srv branch 2 times, most recently from 34417b5 to b0e5534 Compare March 22, 2024 09:37
ondrejbudai
ondrejbudai requested changes Mar 22, 2024
View reviewed changes
Copy link
Member

@ondrejbudai ondrejbudai left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should apply this only to non-ostree artifacts for the starters. With ostree, it gets weird, because IIRC /var is problematic in commits. Also, we should probably discuss this with the edge folks before committing to any changes there.

@ondrejbudai ondrejbudai requested a review from achilleas-k March 22, 2024 09:40
@achilleas-k
Copy link
Member

I think we should apply this only to non-ostree artifacts for the starters. With ostree, it gets weird, because IIRC /var is problematic in commits. Also, we should probably discuss this with the edge folks before committing to any changes there.

Yeah let's split the file+dir policies like we do with the mountpoints.

@supakeen
Copy link
Member Author

@ondrejbudai @achilleas-k do we want the ostree-specific allowed paths to be what we had or do we have a widened set for those as well?

@achilleas-k
Copy link
Member

achilleas-k commented Mar 22, 2024
edited
Loading

Let's keep the old ones for now and widen them in a separate PR

@ondrejbudai ondrejbudai mentioned this pull request Mar 25, 2024
Merged
@supakeen supakeen force-pushed the allow-home-srv branch 2 times, most recently from 45efa2e to 8579b95 Compare March 26, 2024 22:46
@supakeen supakeen requested a review from ondrejbudai March 27, 2024 08:16
@supakeen
Copy link
Member Author

Should we allow /usr/local/s?bin for the ostree policies? They were recently added for non-ostree.

ondrejbudai
ondrejbudai previously approved these changes Mar 27, 2024
View reviewed changes
Copy link
Member

@ondrejbudai ondrejbudai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Splendid! ❤️

@achilleas-k
Copy link
Member

Merge conflicts :/
Good to merge once that's resolved though 👍

@supakeen
policies: widen allowed filepaths
1473909 
Allow writing everywhere aside from things that are probably the wrong
places to write things as the distribution expects to manage those.
@supakeen
Copy link
Member Author

supakeen commented Apr 3, 2024

@achilleas-k Rebased.

@supakeen
policies: split out ostree policies
68fd4c3 
We want to be more strict for ostree so let's keep the old policies
there.
@achilleas-k achilleas-k added this pull request to the merge queue Apr 5, 2024
Merged via the queue into osbuild:main with commit 63f777a Apr 5, 2024
14 of 16 checks passed
@ezr-ondrej
Copy link
Contributor

Have we reverted #528 by this PR?
I think the goal there was to allow /usr/local/sbin for firstboot scripts, was it an intention here to disable it again?

@lzap lzap mentioned this pull request Apr 12, 2024
Merged
@lzap
Copy link
Contributor

lzap commented Apr 12, 2024

Yeah: #587

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@achilleas-k achilleas-k achilleas-k approved these changes

@ondrejbudai ondrejbudai ondrejbudai left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@supakeen @achilleas-k @ezr-ondrej @lzap @ondrejbudai