From 56eda1686c417e5893d74c368e8ca6afd2bc5082 Mon Sep 17 00:00:00 2001
From: Greg Kurz <groug@kaod.org>
Date: Wed, 6 May 2026 08:04:12 +0200
Subject: [PATCH] genpolicy: Fix matching of `..` in paths

When not escaped, the `.` character in a regular expression matches
any character. This causes `CopyFileRequest is blocked by policy`
for paths like :

/run/kata-containers/shared/containers/b8d668e556bc5daf7454de26496a419128d182c5c16d5af6ad03a9e2593f96d4-c9126bd2cf103ae6-secrets/rhsm/ca

In this case, the match is `/ca`.

Signed-off-by: Greg Kurz <groug@kaod.org>
---
 src/tools/genpolicy/rules.rego | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
index 56b55f6a34..a3745f890e 100644
--- a/src/tools/genpolicy/rules.rego
+++ b/src/tools/genpolicy/rules.rego
@@ -1520,7 +1520,7 @@ strip_cap_prefix(s) := result if {
 }
 
 check_directory_traversal(i_path) if {
-    not regex.match("(^|/)..($|/)", i_path)
+    not regex.match("(^|/)\\.\\.($|/)", i_path)
 }
 
 allow_sandbox_storages(i_storages) if {