particle-os/debian-forge-composer
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
debian-forge-composer/vendor/github.com/osbuild/images/pkg/policies/policies.go
Achilleas Koutsou 85e4efe966 go.mod: update to latest images@v0.115.0
2025-02-06 13:48:59 +01:00

119 lines
3.7 KiB
Go
Raw Blame History

package policies
import (
"github.com/osbuild/images/pkg/pathpolicy"
)
// MountpointPolicies is a set of default mountpoint policies used for filesystem customizations
var MountpointPolicies = pathpolicy.NewPathPolicies(map[string]pathpolicy.PathPolicy{
"/": {},
// /etc must be on the root filesystem
"/etc": {Deny: true},
// NB: any mountpoints under /usr are not supported by systemd fstab
// generator in initram before the switch-root, so we don't allow them.
"/usr": {Exact: true},
// API filesystems
"/sys": {Deny: true},
"/proc": {Deny: true},
"/dev": {Deny: true},
"/run": {Deny: true},
// not allowed due to merged-usr
"/bin": {Deny: true},
"/sbin": {Deny: true},
"/lib": {Deny: true},
"/lib64": {Deny: true},
// used by ext filesystems
"/lost+found": {Deny: true},
// used by EFI
"/boot/efi": {Deny: true},
// used by systemd / ostree
"/sysroot": {Deny: true},
// symlink to ../run which is on tmpfs
"/var/run": {Deny: true},
// symlink to ../run/lock which is on tmpfs
"/var/lock": {Deny: true},
})
// CustomDirectoriesPolicies is a set of default policies for custom directories
var CustomDirectoriesPolicies = pathpolicy.NewPathPolicies(map[string]pathpolicy.PathPolicy{
"/": {},
"/bin": {Deny: true},
"/boot": {Deny: true},
"/dev": {Deny: true},
"/lib": {Deny: true},
"/lib64": {Deny: true},
"/lost+found": {Deny: true},
"/proc": {Deny: true},
"/run": {Deny: true},
"/sbin": {Deny: true},
"/sys": {Deny: true},
"/sysroot": {Deny: true},
"/tmp": {Deny: true},
"/usr": {Deny: true},
"/usr/local": {},
"/var/run": {Deny: true},
"/var/tmp": {Deny: true},
"/efi": {Deny: true},
})
// CustomFilesPolicies is a set of default policies for custom files
var CustomFilesPolicies = pathpolicy.NewPathPolicies(map[string]pathpolicy.PathPolicy{
"/": {},
"/bin": {Deny: true},
"/boot": {Deny: true},
"/dev": {Deny: true},
"/efi": {Deny: true},
"/etc/fstab": {Deny: true},
"/etc/group": {Deny: true},
"/etc/passwd": {Deny: true},
"/etc/shadow": {Deny: true},
"/lib": {Deny: true},
"/lib64": {Deny: true},
"/lost+found": {Deny: true},
"/proc": {Deny: true},
"/run": {Deny: true},
"/sbin": {Deny: true},
"/sys": {Deny: true},
"/sysroot": {Deny: true},
"/tmp": {Deny: true},
"/usr": {Deny: true},
"/usr/local": {},
"/var/run": {Deny: true},
"/var/tmp": {Deny: true},
})
// MountpointPolicies for ostree
var OstreeMountpointPolicies = pathpolicy.NewPathPolicies(map[string]pathpolicy.PathPolicy{
"/": {},
"/home": {Deny: true}, // symlink to var/home
"/mnt": {Deny: true}, // symlink to var/mnt
"/opt": {Deny: true}, // symlink to var/opt
"/ostree": {Deny: true}, // symlink to sysroot/ostree
"/root": {Deny: true}, // symlink to var/roothome
"/srv": {Deny: true}, // symlink to var/srv
"/var/home": {Deny: true},
"/var/mnt": {Deny: true},
"/var/opt": {Deny: true},
"/var/roothome": {Deny: true},
"/var/srv": {Deny: true},
"/var/usrlocal": {Deny: true},
})
// CustomDirectoriesPolicies for ostree
var OstreeCustomDirectoriesPolicies = pathpolicy.NewPathPolicies(map[string]pathpolicy.PathPolicy{
"/": {Deny: true},
"/etc": {},
})
// CustomFilesPolicies for ostree
var OstreeCustomFilesPolicies = pathpolicy.NewPathPolicies(map[string]pathpolicy.PathPolicy{
"/": {Deny: true},
"/etc": {},
"/root": {},
"/usr/local/bin": {},
"/usr/local/sbin": {},
"/etc/fstab": {Deny: true},
"/etc/shadow": {Deny: true},
"/etc/passwd": {Deny: true},
"/etc/group": {Deny: true},
})
Reference in a new issue View git blame Copy permalink