distro: add dir / files customizations policy check

Add a default policy for custom directories and files to constrain what
users can do. The intention is to ensure that directories and files can
be created only in `/etc` and also that none of the important
configuration files can be overwritten by this customization.

Add the policy validation to all distro implementation.

Signed-off-by: Tomáš Hozza <thozza@redhat.com>

internal/distro/fedora/distro.go

@@ -809,6 +809,16 @@ func (t *imageType) checkOptions(customizations *blueprint.Customizations, optio
 		return err
 	}
 
+	err = blueprint.CheckDirectoryCustomizationsPolicy(dc, pathpolicy.CustomDirectoriesPolicies)
+	if err != nil {
+		return err
+	}
+
+	err = blueprint.CheckFileCustomizationsPolicy(fc, pathpolicy.CustomFilesPolicies)
+	if err != nil {
+		return err
+	}
+
 	return nil
 }
 

internal/distro/rhel7/distro.go

@@ -511,6 +511,16 @@ func (t *imageType) checkOptions(customizations *blueprint.Customizations, optio
 		return err
 	}
 
+	err = blueprint.CheckDirectoryCustomizationsPolicy(dc, pathpolicy.CustomDirectoriesPolicies)
+	if err != nil {
+		return err
+	}
+
+	err = blueprint.CheckFileCustomizationsPolicy(fc, pathpolicy.CustomFilesPolicies)
+	if err != nil {
+		return err
+	}
+
 	return nil
 }
 

internal/distro/rhel8/imagetype.go

@@ -446,5 +446,15 @@ func (t *imageType) checkOptions(customizations *blueprint.Customizations, optio
 		return err
 	}
 
+	err = blueprint.CheckDirectoryCustomizationsPolicy(dc, pathpolicy.CustomDirectoriesPolicies)
+	if err != nil {
+		return err
+	}
+
+	err = blueprint.CheckFileCustomizationsPolicy(fc, pathpolicy.CustomFilesPolicies)
+	if err != nil {
+		return err
+	}
+
 	return nil
 }

internal/distro/rhel9/imagetype.go

@@ -423,6 +423,15 @@ func (t *imageType) checkOptions(customizations *blueprint.Customizations, optio
 	if err != nil {
 		return err
 	}
+	err = blueprint.CheckDirectoryCustomizationsPolicy(dc, pathpolicy.CustomDirectoriesPolicies)
+	if err != nil {
+		return err
+	}
+
+	err = blueprint.CheckFileCustomizationsPolicy(fc, pathpolicy.CustomFilesPolicies)
+	if err != nil {
+		return err
+	}
 
 	return nil
 }

internal/pathpolicy/policies.go

@@ -13,3 +13,19 @@ var MountpointPolicies = NewPathPolicies(map[string]PathPolicy{
 	"/home": {},
 	"/tmp":  {},
 })
+
+// CustomDirectoriesPolicies is a set of default policies for custom directories
+var CustomDirectoriesPolicies = NewPathPolicies(map[string]PathPolicy{
+	"/":    {Deny: true},
+	"/etc": {},
+})
+
+// CustomFilesPolicies is a set of default policies for custom files
+var CustomFilesPolicies = NewPathPolicies(map[string]PathPolicy{
+	"/":           {Deny: true},
+	"/etc":        {},
+	"/etc/fstab":  {Deny: true},
+	"/etc/shadow": {Deny: true},
+	"/etc/passwd": {Deny: true},
+	"/etc/group":  {Deny: true},
+})