From 60443b26ce45a3d8b56445d1b20b7890987711ac Mon Sep 17 00:00:00 2001
From: Luiz Carvalho <lucarval@redhat.com>
Date: Wed, 31 Jul 2024 12:53:18 -0400
Subject: [PATCH] Add disallowed_platform_patterns

As part of EC-726, a new policy rule,
`buildah_build_task.platform_param`,  was added to prevent certain
platforms from being used based on the value of the
`disallowed_platform_patterns` rule data.

This commit disallows using platforms that include the `root` string.
This is the convention used to specify rootful hosts.

For the workflows that do require rootful access, use a policy config
that either disables the policy rule, or overrides the value of the rule
data to an empty list.

Ref: EC-726

Signed-off-by: Luiz Carvalho <lucarval@redhat.com>
---
 data/rule_data.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/data/rule_data.yml b/data/rule_data.yml
index aa364d3..fff9845 100644
--- a/data/rule_data.yml
+++ b/data/rule_data.yml
@@ -198,3 +198,6 @@ rule_data:
   - 2025-12-30
   - 2025-12-31
   - 2026-01-01
+
+  disallowed_platform_patterns:
+  - .*root.*