From aabde307473fbbadbb2dc5739b816621d7aa5dcf Mon Sep 17 00:00:00 2001
From: Saul Paredes <saulparedes@microsoft.com>
Date: Fri, 13 Dec 2024 11:15:31 -0800
Subject: [PATCH] genpolicy: block self paths for copyFile requests

Self paths are not useful and may cause security issues. Also move parent check to check_symlink_source since we only need
this check for symlinks. We already filter self and parent path references in this regexp
https://github.com/microsoft/kata-containers/blob/06ea44595d084461340fe172ec59826c168763ff/src/tools/genpolicy/rules.rego#L1185

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
---
 src/tools/genpolicy/rules.rego | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
index 13128b2e6dc0..a462c0692dab 100644
--- a/src/tools/genpolicy/rules.rego
+++ b/src/tools/genpolicy/rules.rego
@@ -1136,7 +1136,6 @@ match_caps(p_caps, i_caps) {
 check_directory_traversal(i_path) {
     contains(i_path, "../") == false
     endswith(i_path, "/..") == false
-    i_path != ".."
 }
 
 check_symlink_source {
@@ -1148,6 +1147,9 @@ check_symlink_source {
     i_src := input.symlink_src
     print("check_symlink_source: i_src =", i_src)
 
+    i_src != "."
+    i_src != ".."
+    
     startswith(i_src, "/") == false
     check_directory_traversal(i_src)
 }