From 9dc5d3aefd3511bfa077e10eff5d17848f0c0e5a Mon Sep 17 00:00:00 2001
From: Vincent Shen <wenshen@redhat.com>
Date: Tue, 2 Jun 2026 09:40:09 -0700
Subject: [PATCH] OCP4: Exclude runtime lock files from
 file_permissions_cni_conf

The file_permissions_cni_conf rules matched every file under
/etc/cni/net.d/ with the regex ^/etc/cni/net.d/.*$ and required mode
0600. The directory can also contain cni.lock, a zero-byte flock
sentinel created by CRI-O/podman with mode 0644. The actual CNI
configuration files (e.g. 100-crio-bridge.conflist,
200-loopback.conflist) are already 0600 and compliant, but cni.lock
caused the rule to FAIL.

Narrow the regex to only match CNI configuration files
(.conf, .conflist, .json) so the runtime lock file is no longer
checked. This avoids false FAILs while still verifying the permissions
of the actual network configuration files.

CMP-4323
---
 .../openshift/master/file_permissions_cni_conf/rule.yml         | 2 +-
 .../master/file_permissions_cni_conf_not_s390x/rule.yml         | 2 +-
 .../openshift/master/file_permissions_cni_conf_s390x/rule.yml   | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/applications/openshift/master/file_permissions_cni_conf/rule.yml b/applications/openshift/master/file_permissions_cni_conf/rule.yml
index 801a8286b1d1..73114f939c73 100644
--- a/applications/openshift/master/file_permissions_cni_conf/rule.yml
+++ b/applications/openshift/master/file_permissions_cni_conf/rule.yml
@@ -32,6 +32,6 @@ ocil: |-
 template:
     name: file_permissions
     vars:
-        filepath: ^/etc/cni/net.d/.*$
+        filepath: ^/etc/cni/net.d/.*\.(conf|conflist|json)$
         filemode: '0600'
         filepath_is_regex: "true"
diff --git a/applications/openshift/master/file_permissions_cni_conf_not_s390x/rule.yml b/applications/openshift/master/file_permissions_cni_conf_not_s390x/rule.yml
index 05f6c432e230..8427537a0e42 100644
--- a/applications/openshift/master/file_permissions_cni_conf_not_s390x/rule.yml
+++ b/applications/openshift/master/file_permissions_cni_conf_not_s390x/rule.yml
@@ -33,6 +33,6 @@ ocil: |-
 template:
     name: file_permissions
     vars:
-        filepath: ^/etc/cni/net.d/.*$
+        filepath: ^/etc/cni/net.d/.*\.(conf|conflist|json)$
         filemode: '0600'
         filepath_is_regex: "true"
diff --git a/applications/openshift/master/file_permissions_cni_conf_s390x/rule.yml b/applications/openshift/master/file_permissions_cni_conf_s390x/rule.yml
index d864b506e550..1998d6ff4c2d 100644
--- a/applications/openshift/master/file_permissions_cni_conf_s390x/rule.yml
+++ b/applications/openshift/master/file_permissions_cni_conf_s390x/rule.yml
@@ -33,6 +33,6 @@ ocil: |-
 template:
     name: file_permissions
     vars:
-        filepath: ^/etc/cni/net.d/.*$
+        filepath: ^/etc/cni/net.d/.*\.(conf|conflist|json)$
         filemode: '0600'
         filepath_is_regex: "true"