BindMount¶
Authorize the request only if the bind mount option doesn’t run over the defined rules.
Checks are recursive. Every paths not explicitly defined are disallowed. A path not terminated by a / will be considered as starting blob (/foo*).
Path starting with + represent an allowed path, hence, path starting with - will be disallowed. The special key $USER will be replaced by the current connected user. You can escape the $ sign by preceding it by a ` (“$USER”) to use `$USER as a litteral.
BindMount are on evaluated only if the action include binded paths. That’s the case for:
Example usage¶
---
- description: Allow everything if bind mounts are validated.
hosts:
- +.*
default: Allow
policies:
- members:
- users
rules:
any:
BindMount:
- "-/"
- "+/home/$USER/"
- "+/0/"
- "-/mnt/something-"
...