commit a77e33dadb7a37e240f17454250126aa3ba807c0
author Mike Frysinger <vapier@chromium.org> Sun Mar 22 15:15:58 2020 -0400
committer Commit Bot <commit-bot@chromium.org> Tue Mar 24 17:32:13 2020 +0000
tree 364edb2dfa6ca1a9f04561588da60a3f6b4966e5
parent d438193c6dee671db5e2b90024cc5b655ac5c255

hooks: disallow SDK packages installing into /dev

Since we always bind mount /dev from the host distro, we don't want
packages randomly installing content into it & corrupting things.

BUG=None
TEST=SDK builders passes

Change-Id: Ie60e89391fa3557e2fcf627e53ea761ef26cf597
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosutils/+/2113297
Reviewed-by: Alex Klein <saklein@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Tested-by: George Engelbrecht <engeg@google.com>
Commit-Queue: George Engelbrecht <engeg@google.com>

hooks/filesystem-sanity.py

diff --git a/hooks/filesystem-sanity.py b/hooks/filesystem-sanity.py
index ce85e3a..b5770b0 100755
--- a/hooks/filesystem-sanity.py
+++ b/hooks/filesystem-sanity.py
@@ -19,14 +19,18 @@
 
 
 # Paths that are allowed in the / dir.
+#
+# NB: We don't allow packages to install into some subdirs because they are
+# always bind mounted with the host distro, and we don't want to pollute them.
+# Those are: /dev
 VALID_ROOT = {
-    'bin', 'boot', 'dev', 'etc', 'home', 'lib', 'lib32', 'lib64', 'media',
+    'bin', 'boot', 'etc', 'home', 'lib', 'lib32', 'lib64', 'media',
     'mnt', 'opt', 'proc', 'root', 'run', 'sbin', 'sys', 'tmp', 'usr', 'var',
 }
 
 # Paths that are allowed in the / dir for boards.
 VALID_BOARD_ROOT = {
-    'build', 'firmware',
+    'build', 'dev', 'firmware',
     # TODO(): We should clean this up.
     'postinst',
 }