From 94a1776fe7ec407eca381e10b6c00ade598e9415 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Tue, 7 Nov 2017 17:10:10 -0500
Subject: [PATCH] unpacker: Error out when trying to install RPM in /usr/local

This came up with `https://developer.download.nvidia.com/compute/cuda/repos/rhel7/x86_64/cuda-license-9-0-9.0.176-1.x86_64.rpm`.
Reported by @dustymabe on IRC.

Closes: #1090
Approved by: jlebon
---
 src/libpriv/rpmostree-unpacker.c     |  3 ++-
 tests/vmcheck/test-layering-basic.sh | 15 +++++++++++++--
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/src/libpriv/rpmostree-unpacker.c b/src/libpriv/rpmostree-unpacker.c
index f2c15eff..f7edd5f4 100644
--- a/src/libpriv/rpmostree-unpacker.c
+++ b/src/libpriv/rpmostree-unpacker.c
@@ -608,7 +608,8 @@ path_is_ostree_compliant (const char *path)
   g_assert (*path == '/');
   path++;
   return (*path == '\0' ||
-          g_str_equal (path, "usr")   || g_str_has_prefix (path, "usr/")  ||
+          g_str_equal (path, "usr")   || (g_str_has_prefix (path, "usr/")
+                                          && !g_str_has_prefix (path, "usr/local/")) ||
           g_str_equal (path, "bin")   || g_str_has_prefix (path, "bin/")  ||
           g_str_equal (path, "sbin")  || g_str_has_prefix (path, "sbin/") ||
           g_str_equal (path, "lib")   || g_str_has_prefix (path, "lib/")  ||
diff --git a/tests/vmcheck/test-layering-basic.sh b/tests/vmcheck/test-layering-basic.sh
index 382f0ef0..f3bf7de9 100755
--- a/tests/vmcheck/test-layering-basic.sh
+++ b/tests/vmcheck/test-layering-basic.sh
@@ -35,7 +35,7 @@ vm_assert_status_jq \
   '.deployments[0]["base-checksum"]|not' \
   '.deployments[0]["pending-base-checksum"]|not'
 
-# make sure installing in /opt fails
+# make sure installing in /opt and /usr/local fails
 
 vm_build_rpm test-opt \
   files /opt/app \
@@ -46,7 +46,18 @@ if vm_rpmostree install test-opt-1.0 2>err.txt; then
 fi
 assert_file_has_content err.txt "See https://github.com/projectatomic/rpm-ostree/issues/233"
 
-echo "ok failed to install in opt"
+# https://developer.download.nvidia.com/compute/cuda/repos/rhel7/x86_64/cuda-license-9-0-9.0.176-1.x86_64.rpm
+# was known to do this.
+vm_build_rpm test-usrlocal \
+             files /usr/local/bin/foo \
+             install "mkdir -p %{buildroot}/usr/local/bin/
+                      touch %{buildroot}/usr/local/bin/foo"
+if vm_rpmostree install test-usrlocal-1.0 2>err.txt; then
+    assert_not_reached "Was able to install a package in /usr/local/"
+fi
+assert_file_has_content err.txt "See https://github.com/projectatomic/rpm-ostree/issues/233"
+
+echo "ok failed to install in /opt and /usr/local"
 
 vm_build_rpm foo
 vm_rpmostree pkg-add foo-1.0