Merge pull request #12647 from sprt/gp-improve

genpolicy: Improve emptyDir storage options and mount point validation

src/tools/genpolicy/genpolicy-settings.json

@@ -173,7 +173,7 @@
                 "encryption_key=ephemeral"
             ],
             "source": "",
-            "mount_point": "^$(spath)/$(b64_device_id)$",
+            "mount_point": "$(spath)/$(b64_device_id)",
             "fstype": "ext4",
             "options": [],
             "shared": true

src/tools/genpolicy/rules.rego

@@ -1306,6 +1306,7 @@ allow_storage_source(p_storage, i_storage, bundle_id) if {
 allow_storage_options(p_storage, i_storage) if {
     print("allow_storage_options 1: start")
 
+    p_storage.driver != "blk"
     p_storage.driver != "overlayfs"
     p_storage.options == i_storage.options
 
@@ -1389,7 +1390,7 @@ allow_mount_point_by_device_id(p_storage, i_storage) if {
     mount3 := replace(mount2, "$(b64_device_id)", base64url.encode(i_storage.source))
     print("allow_mount_point_by_device_id: mount3 =", mount3)
 
-    regex.match(mount3, i_storage.mount_point)
+    mount3 == i_storage.mount_point
 
     print("allow_mount_point_by_device_id: true")
 }

src/tools/genpolicy/src/mount_and_storage.rs

@@ -168,10 +168,10 @@ fn get_empty_dir_mount_and_storage(
             source: settings_empty_dir.source.clone(),
             fstype: settings_empty_dir.fstype.clone(),
             options,
-            mount_point: if settings_empty_dir.mount_point.ends_with('$') {
-                settings_empty_dir.mount_point.clone()
-            } else {
+            mount_point: if settings_empty_dir.mount_point.ends_with('/') {
                 format!("{}{}$", &settings_empty_dir.mount_point, &yaml_mount.name)
+            } else {
+                settings_empty_dir.mount_point.clone()
             },
             fs_group: protobuf::MessageField::none(),
             shared: settings_empty_dir.shared,