rhel85: enable multi-level mountpoints

Previously it was only possible to configure separate partitions for mountpoints in the allow list and their immediate subdirectories only i.e. /var & /var/log This fix allows for an arbitrary level of mountpoints, i.e. /var/log/audit, /var/a/b/c/d/e and so on
2021-08-31 18:15:41 +01:00 · 2021-08-31 18:15:41 +01:00 · 16e80ffa33
commit 16e80ffa33
parent 5a9d8c792b
2 changed files with 95 additions and 10 deletions
--- a/internal/distro/rhel85/distro.go
+++ b/internal/distro/rhel85/distro.go
@ -7,6 +7,7 @@ import (
 	"math/rand"
 	"path"
 	"sort"
+	"strings"

 	"github.com/osbuild/osbuild-composer/internal/blueprint"
 	"github.com/osbuild/osbuild-composer/internal/disk"
@ -42,9 +43,7 @@ const (
 )

 var mountpointAllowList = []string{
-	"/", "/var", "/var/*", "/home", "/home/*", "/opt", "/opt/*",
-	"/srv", "/srv/*", "/usr", "/usr/*", "/app", "/app/*",
-	"/data", "/data/*",
+	"/", "/var", "/opt", "/srv", "/usr", "/app", "/data", "/home",
 }

 type distribution struct {
@ -394,10 +393,17 @@ func (t *imageType) sources(packages []rpmmd.PackageSpec, ostreeCommits []ostree

 func isMountpointAllowed(mountpoint string) bool {
 	for _, allowed := range mountpointAllowList {
-		// check if the path and its subdirectories
-		// is in the allow list
 		match, _ := path.Match(allowed, mountpoint)
-		if mountpoint == "/" || match {
+		if match {
+			return true
+		}
+		// ensure that only clean mountpoints
+		// are valid
+		if strings.Contains(mountpoint, "//") {
+			return false
+		}
+		match = strings.HasPrefix(mountpoint, allowed+"/")
+		if allowed != "/" && match {
 			return true
 		}
 	}
--- a/internal/distro/rhel85/distro_test.go
+++ b/internal/distro/rhel85/distro_test.go
@ -2,6 +2,7 @@ package rhel85_test

 import (
 	"fmt"
+	"strings"
 	"testing"

 	"github.com/stretchr/testify/assert"
@ -627,6 +628,10 @@ func TestDistro_CustomFileSystemSubDirectories(t *testing.T) {
 					MinSize:    1024,
 					Mountpoint: "/var/log",
 				},
+				{
+					MinSize:    1024,
+					Mountpoint: "/var/log/audit",
+				},
 			},
 		},
 	}
@ -635,9 +640,7 @@ func TestDistro_CustomFileSystemSubDirectories(t *testing.T) {
 		for _, imgTypeName := range arch.ListImageTypes() {
 			imgType, _ := arch.GetImageType(imgTypeName)
 			_, err := imgType.Manifest(bp.Customizations, distro.ImageOptions{}, nil, nil, 0)
-			if imgTypeName == "edge-commit" || imgTypeName == "edge-container" {
-				assert.EqualError(t, err, "Custom mountpoints are not supported for ostree types")
-			} else if imgTypeName == "edge-installer" || imgTypeName == "edge-simplified-installer" || imgTypeName == "edge-raw-image" {
+			if strings.HasPrefix(imgTypeName, "edge-") {
 				continue
 			} else {
 				assert.NoError(t, err)
@ -646,6 +649,78 @@ func TestDistro_CustomFileSystemSubDirectories(t *testing.T) {
 	}
 }

+func TestDistro_MountpointsWithArbitraryDepthAllowed(t *testing.T) {
+	r8distro := rhel85.New()
+	bp := blueprint.Blueprint{
+		Customizations: &blueprint.Customizations{
+			Filesystem: []blueprint.FilesystemCustomization{
+				{
+					MinSize:    1024,
+					Mountpoint: "/var/a",
+				},
+				{
+					MinSize:    1024,
+					Mountpoint: "/var/a/b",
+				},
+				{
+					MinSize:    1024,
+					Mountpoint: "/var/a/b/c",
+				},
+				{
+					MinSize:    1024,
+					Mountpoint: "/var/a/b/c/d",
+				},
+			},
+		},
+	}
+	for _, archName := range r8distro.ListArches() {
+		arch, _ := r8distro.GetArch(archName)
+		for _, imgTypeName := range arch.ListImageTypes() {
+			imgType, _ := arch.GetImageType(imgTypeName)
+			_, err := imgType.Manifest(bp.Customizations, distro.ImageOptions{}, nil, nil, 0)
+			if strings.HasPrefix(imgTypeName, "edge-") {
+				continue
+			} else {
+				assert.NoError(t, err)
+			}
+		}
+	}
+}
+
+func TestDistro_DirtyMountpointsNotAllowed(t *testing.T) {
+	r8distro := rhel85.New()
+	bp := blueprint.Blueprint{
+		Customizations: &blueprint.Customizations{
+			Filesystem: []blueprint.FilesystemCustomization{
+				{
+					MinSize:    1024,
+					Mountpoint: "//",
+				},
+				{
+					MinSize:    1024,
+					Mountpoint: "/var//",
+				},
+				{
+					MinSize:    1024,
+					Mountpoint: "/var//log/audit/",
+				},
+			},
+		},
+	}
+	for _, archName := range r8distro.ListArches() {
+		arch, _ := r8distro.GetArch(archName)
+		for _, imgTypeName := range arch.ListImageTypes() {
+			imgType, _ := arch.GetImageType(imgTypeName)
+			_, err := imgType.Manifest(bp.Customizations, distro.ImageOptions{}, nil, nil, 0)
+			if strings.HasPrefix(imgTypeName, "edge-") {
+				continue
+			} else {
+				assert.EqualError(t, err, "The following custom mountpoints are not supported [\"//\" \"/var//\" \"/var//log/audit/\"]")
+			}
+		}
+	}
+}
+
 func TestDistro_CustomFileSystemPatternMatching(t *testing.T) {
 	r8distro := rhel85.New()
 	bp := blueprint.Blueprint{
@ -655,6 +730,10 @@ func TestDistro_CustomFileSystemPatternMatching(t *testing.T) {
 					MinSize:    1024,
 					Mountpoint: "/variable",
 				},
+				{
+					MinSize:    1024,
+					Mountpoint: "/variable/log/audit",
+				},
 			},
 		},
 	}
@ -668,7 +747,7 @@ func TestDistro_CustomFileSystemPatternMatching(t *testing.T) {
 			} else if imgTypeName == "edge-installer" || imgTypeName == "edge-simplified-installer" || imgTypeName == "edge-raw-image" {
 				continue
 			} else {
-				assert.EqualError(t, err, "The following custom mountpoints are not supported [\"/variable\"]")
+				assert.EqualError(t, err, "The following custom mountpoints are not supported [\"/variable\" \"/variable/log/audit\"]")
 			}
 		}
 	}