Add list of explicitly disallowed mountpoints to the policy

Before relaxing the mountpoints policy, let's first disallow paths which can't or should not be backed by a separate partition. This has no effect on the current mountpoint policy, because all of these paths are already disallowed. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
osbuild · Oct 20, 2023 · 2de0f66 · 2de0f66
1 parent af763d6
commit 2de0f66
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/internal/pathpolicy/policies.go b/internal/pathpolicy/policies.go
@@ -7,13 +7,31 @@ var MountpointPolicies = NewPathPolicies(map[string]PathPolicy{
 	"/var":  {},
 	"/opt":  {},
 	"/srv":  {},
+	// /etc must be on the root filesystem
+	"/etc": {Deny: true},
 	// NB: any mountpoints under /usr are not supported by systemd fstab
 	// generator in initram before the switch-root, so we don't allow them.
 	"/usr":  {Exact: true},
 	"/app":  {},
 	"/data": {},
 	"/home": {},
 	"/tmp":  {},
+	// API filesystems
+	"/sys":  {Deny: true},
+	"/proc": {Deny: true},
+	"/dev":  {Deny: true},
+	"/run":  {Deny: true},
+	// not allowed due to merged-usr
+	"/bin":   {Deny: true},
+	"/sbin":  {Deny: true},
+	"/lib":   {Deny: true},
+	"/lib64": {Deny: true},
+	// used by ext filesystems
+	"/lost+found": {Deny: true},
+	// used by EFI
+	"/boot/efi": {Deny: true},
+	// used by systemd / ostree
+	"/sysroot": {Deny: true},
 })
 
 // CustomDirectoriesPolicies is a set of default policies for custom directories