importer: Error importing RPMs which install to /opt (outside of /usr)

Makefile-tests.am

@@ -31,6 +31,7 @@ testpackages = \
 	tests/common/compose/yum/repo/packages/x86_64/scriptpkg1-1.0-1.x86_64.rpm \
 	tests/common/compose/yum/repo/packages/x86_64/nonrootcap-1.0-1.x86_64.rpm \
 	tests/common/compose/yum/repo/packages/x86_64/test-post-rofiles-violation-1.0-1.x86_64.rpm \
+	tests/common/compose/yum/repo/packages/x86_64/test-opt-1.0-1.x86_64.rpm \
 	$(NULL)
 
 # Create a rule for each testpkg with their respective spec file as dep.

src/libpriv/rpmostree-unpacker.c

@@ -575,6 +575,23 @@ append_tmpfiles_d (RpmOstreeUnpacker *self,
     }
 }
 
+/* When we do a unified core, we'll likely need to add /boot to pick up
+ * kernels here at least.  This is intended short term to address
+ * https://github.com/projectatomic/rpm-ostree/issues/233
+ */
+static gboolean
+path_is_ostree_compliant (const char *path)
+{
+  g_assert (*path == '/');
+  path++;
+  return (*path == '\0' ||
+          g_str_equal (path, "usr")   || g_str_has_prefix (path, "usr/")  ||
+          g_str_equal (path, "bin")   || g_str_has_prefix (path, "bin/")  ||
+          g_str_equal (path, "sbin")  || g_str_has_prefix (path, "sbin/") ||
+          g_str_equal (path, "lib")   || g_str_has_prefix (path, "lib/")  ||
+          g_str_equal (path, "lib64") || g_str_has_prefix (path, "lib64/"));
+}
+
 static OstreeRepoCommitFilterResult
 compose_filter_cb (OstreeRepo         *repo,
                    const char         *path,
@@ -609,6 +626,15 @@ compose_filter_cb (OstreeRepo         *repo,
         {
           g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,
                        "RPM had unexpected non-root owned path \"%s\", marked as %u:%u)", path, uid, gid);
+          return OSTREE_REPO_COMMIT_FILTER_SKIP;
+        }
+      /* And ensure the RPM installs into supported paths */
+      else if (!path_is_ostree_compliant (path))
+        {
+          g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,
+                       "Unsupported path: %s; See %s",
+                       path, "https://github.com/projectatomic/rpm-ostree/issues/233");
+          return OSTREE_REPO_COMMIT_FILTER_SKIP;
         }
     }
 
@@ -721,6 +747,13 @@ import_rpm_to_repo (RpmOstreeUnpacker *self,
       if (!ostree_repo_write_dfd_to_mtree (repo, tmpdir_dfd, ".", mtree, modifier,
                                            cancellable, error))
         goto out;
+
+      /* check if any of the cbs set an error */
+      if (cb_error != NULL)
+        {
+          *error = cb_error;
+          goto out;
+        }
     }
 
   if (!ostree_repo_write_mtree (repo, mtree, &root, cancellable, error))

tests/common/compose/yum/test-opt.spec

@@ -0,0 +1,22 @@
+Summary: Test package which installs in /opt
+Name: test-opt
+Version: 1.0
+Release: 1
+License: GPLv2+
+Group: Development/Tools
+URL: http://example.com
+BuildArch: x86_64
+
+%description
+%{summary}
+
+%prep
+
+%build
+
+%install
+mkdir -p %{buildroot}/opt/app/bin
+touch %{buildroot}/opt/app/bin/foo
+
+%files
+/opt/app

tests/vmcheck/test-layering-basic.sh

@@ -43,6 +43,14 @@ if vm_cmd "runuser -u bin rpm-ostree pkg-add foo-1.0"; then
     assert_not_reached "Was able to install a package as non-root!"
 fi
 
+# Be sure an unprivileged user exists
+if vm_rpmostree install test-opt-1.0 2>err.txt; then
+    assert_not_reached "Was able to install a package in /opt"
+fi
+assert_file_has_content err.txt "See https://github.com/projectatomic/rpm-ostree/issues/233"
+
+echo "ok failed to install in opt"
+
 vm_rpmostree pkg-add foo-1.0
 vm_cmd ostree --repo=/sysroot/ostree/repo/extensions/rpmostree/pkgcache refs |grep /foo/> refs.txt
 pkgref=$(head -1 refs.txt)