genpolicy: block self paths for copyFile requests

Self paths are not useful and may cause security issues. Also move parent check to check_symlink_source since we only need this check for symlinks. We already filter self and parent path references in this regexp https://github.com/microsoft/kata-containers/blob/06ea44595d084461340fe172ec59826c168763ff/src/tools/genpolicy/rules.rego#L1185 Signed-off-by: Saul Paredes <[email protected]>
microsoft · Dec 13, 2024 · aabde30 · aabde30
1 parent 06ea445
commit aabde30
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
@@ -1136,7 +1136,6 @@ match_caps(p_caps, i_caps) {
 check_directory_traversal(i_path) {
     contains(i_path, "../") == false
     endswith(i_path, "/..") == false
-    i_path != ".."
 }
 
 check_symlink_source {
@@ -1148,6 +1147,9 @@ check_symlink_source {
     i_src := input.symlink_src
     print("check_symlink_source: i_src =", i_src)
 
+    i_src != "."
+    i_src != ".."
+
     startswith(i_src, "/") == false
     check_directory_traversal(i_src)
 }