From e5699406f0fdccee7f3009ac3bc83a0caac0c2bb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Budai?= <ondrej@budai.cz>
Date: Mon, 3 Feb 2025 14:19:55 +0100
Subject: [PATCH] policies: allow custom directories and filed under /usr/local

According to FHS, /usr/local is meant for installing software locally.
Thus, this directory feels like the ideal place for extra software
installed by Image Builder's users via the custom files and directories.

This commit relaxes the custom files and directory policies so users
can add arbitrary files and directories under /usr/local.
---
 pkg/policies/policies.go | 46 ++++++++++++++++++++--------------------
 1 file changed, 23 insertions(+), 23 deletions(-)

diff --git a/pkg/policies/policies.go b/pkg/policies/policies.go
index 8ea86d487a..e55b3a9396 100644
--- a/pkg/policies/policies.go
+++ b/pkg/policies/policies.go
@@ -50,6 +50,7 @@ var CustomDirectoriesPolicies = pathpolicy.NewPathPolicies(map[string]pathpolicy
 	"/sysroot":    {Deny: true},
 	"/tmp":        {Deny: true},
 	"/usr":        {Deny: true},
+	"/usr/local":  {},
 	"/var/run":    {Deny: true},
 	"/var/tmp":    {Deny: true},
 	"/efi":        {Deny: true},
@@ -57,29 +58,28 @@ var CustomDirectoriesPolicies = pathpolicy.NewPathPolicies(map[string]pathpolicy
 
 // CustomFilesPolicies is a set of default policies for custom files
 var CustomFilesPolicies = pathpolicy.NewPathPolicies(map[string]pathpolicy.PathPolicy{
-	"/":               {},
-	"/usr/local/bin":  {},
-	"/usr/local/sbin": {},
-	"/bin":            {Deny: true},
-	"/boot":           {Deny: true},
-	"/dev":            {Deny: true},
-	"/efi":            {Deny: true},
-	"/etc/fstab":      {Deny: true},
-	"/etc/group":      {Deny: true},
-	"/etc/passwd":     {Deny: true},
-	"/etc/shadow":     {Deny: true},
-	"/lib":            {Deny: true},
-	"/lib64":          {Deny: true},
-	"/lost+found":     {Deny: true},
-	"/proc":           {Deny: true},
-	"/run":            {Deny: true},
-	"/sbin":           {Deny: true},
-	"/sys":            {Deny: true},
-	"/sysroot":        {Deny: true},
-	"/tmp":            {Deny: true},
-	"/usr":            {Deny: true},
-	"/var/run":        {Deny: true},
-	"/var/tmp":        {Deny: true},
+	"/":           {},
+	"/bin":        {Deny: true},
+	"/boot":       {Deny: true},
+	"/dev":        {Deny: true},
+	"/efi":        {Deny: true},
+	"/etc/fstab":  {Deny: true},
+	"/etc/group":  {Deny: true},
+	"/etc/passwd": {Deny: true},
+	"/etc/shadow": {Deny: true},
+	"/lib":        {Deny: true},
+	"/lib64":      {Deny: true},
+	"/lost+found": {Deny: true},
+	"/proc":       {Deny: true},
+	"/run":        {Deny: true},
+	"/sbin":       {Deny: true},
+	"/sys":        {Deny: true},
+	"/sysroot":    {Deny: true},
+	"/tmp":        {Deny: true},
+	"/usr":        {Deny: true},
+	"/usr/local":  {},
+	"/var/run":    {Deny: true},
+	"/var/tmp":    {Deny: true},
 })
 
 // MountpointPolicies for ostree