Merge pull request #27229 from poettering/dissect-policy-confext

dissect: follow-up for image policy merge
author: Mike Yuan <me@yhndnzj.com> 2023-04-13 00:14:30 +0800
committer: GitHub <noreply@github.com> 2023-04-13 00:14:30 +0800
commit: 7581da99a104f31e49ea679eb352cb46a3a19383 (patch)
tree: 525edb61b3d9ca4bc806da1d1b1847b7bfaf807d
parent: 5a9e2dff473fe9c18f1425fd18ed7c16881b6997 (diff)
parent: 4f25844a4bc5e20a0c734be6cdd605ed680c7d44 (diff)
download: systemd-7581da99a104f31e49ea679eb352cb46a3a19383.tar.gz
5 files changed, 26 insertions, 12 deletions
diff --git a/man/systemd-sysext.xml b/man/systemd-sysext.xml
index a257fa73bc..6e164077e2 100644
--- a/man/systemd-sysext.xml
+++ b/man/systemd-sysext.xml
@@ -281,11 +281,13 @@
         <listitem><para>Takes an image policy string as argument, as per
         <citerefentry><refentrytitle>systemd.image-policy</refentrytitle><manvolnum>7</manvolnum></citerefentry>. The
         policy is enforced when operating on system extension disk images. If not specified defaults to
-        <literal>root=verity+signed+encrypted+unprotected+absent:usr=verity+signed+encrypted+unprotected+absent</literal>,
-        i.e. only the root and <filename>/usr/</filename> file systems in the image are used. When run in the
-        initrd and operating on a system extension image stored in the <filename>/.extra/sysext/</filename>
-        directory a slightly stricter policy is used by default:
-        <literal>root=signed+absent:usr=signed+absent</literal>, see above for details.</para></listitem>
+        <literal>root=verity+signed+encrypted+unprotected+absent:usr=verity+signed+encrypted+unprotected+absent</literal>
+        for system extensions, i.e. only the root and <filename>/usr/</filename> file systems in the image
+        are used. For configuration extensions defaults to
+        <literal>root=verity+signed+encrypted+unprotected+absent</literal>. When run in the initrd and
+        operating on a system extension image stored in the <filename>/.extra/sysext/</filename> directory a
+        slightly stricter policy is used by default: <literal>root=signed+absent:usr=signed+absent</literal>,
+        see above for details.</para></listitem>
       </varlistentry>
 
       <xi:include href="standard-options.xml" xpointer="no-pager" />
diff --git a/src/shared/discover-image.c b/src/shared/discover-image.c
index fac595f0d5..198c975c44 100644
--- a/src/shared/discover-image.c
+++ b/src/shared/discover-image.c
@@ -79,12 +79,10 @@ static const char* const image_search_path[_IMAGE_CLASS_MAX] = {
 static const char* const image_search_path_initrd[_IMAGE_CLASS_MAX] = {
         /* (entries that aren't listed here will get the same search path as for the non initrd-case) */
 
-        [IMAGE_SYSEXT] = "/etc/extensions\0"             /* only place symlinks here */
-                         "/run/extensions\0"             /* and here too */
-                         "/var/lib/extensions\0"         /* the main place for images */
-                         "/usr/local/lib/extensions\0"
-                         "/usr/lib/extensions\0"
-                         "/.extra/sysext\0"              /* put sysext picked up by systemd-stub last, since not trusted */
+        [IMAGE_SYSEXT] =    "/etc/extensions\0"            /* only place symlinks here */
+                            "/run/extensions\0"            /* and here too */
+                            "/var/lib/extensions\0"        /* the main place for images */
+                            "/.extra/sysext\0"             /* put sysext picked up by systemd-stub last, since not trusted */
 };
 
 static Image *image_free(Image *i) {
diff --git a/src/shared/image-policy.c b/src/shared/image-policy.c
index 5baeac4c5d..8e27021b66 100644
--- a/src/shared/image-policy.c
+++ b/src/shared/image-policy.c
@@ -641,6 +641,16 @@ const ImagePolicy image_policy_sysext_strict = {
         .default_flags = PARTITION_POLICY_IGNORE,
 };
 
+const ImagePolicy image_policy_confext = {
+        /* For configuraiton extensions, honour root file system, and ignore everything else. After all, we
+         * are only interested in the /etc/ tree anyway, and that's really the only place it can be. */
+        .n_policies = 1,
+        .policies = {
+                { PARTITION_ROOT,     PARTITION_POLICY_VERITY|PARTITION_POLICY_SIGNED|PARTITION_POLICY_ENCRYPTED|PARTITION_POLICY_UNPROTECTED|PARTITION_POLICY_ABSENT },
+        },
+        .default_flags = PARTITION_POLICY_IGNORE,
+};
+
 const ImagePolicy image_policy_container = {
         /* For systemd-nspawn containers we use all partitions, with the exception of swap */
         .n_policies = 8,
diff --git a/src/shared/image-policy.h b/src/shared/image-policy.h
index a5e37642af..848b24c147 100644
--- a/src/shared/image-policy.h
+++ b/src/shared/image-policy.h
@@ -59,6 +59,7 @@ extern const ImagePolicy image_policy_deny;
 extern const ImagePolicy image_policy_ignore;
 extern const ImagePolicy image_policy_sysext;        /* No verity required */
 extern const ImagePolicy image_policy_sysext_strict; /* Signed verity required */
+extern const ImagePolicy image_policy_confext;       /* No verity required */
 extern const ImagePolicy image_policy_container;
 extern const ImagePolicy image_policy_service;
 extern const ImagePolicy image_policy_host;
diff --git a/src/sysext/sysext.c b/src/sysext/sysext.c
index 3fc6b910c4..df4092fea9 100644
--- a/src/sysext/sysext.c
+++ b/src/sysext/sysext.c
@@ -63,6 +63,7 @@ static const struct {
         const char *level_env;
         const char *scope_env;
         const char *name_env;
+        const ImagePolicy *default_image_policy;
 } image_class_info[_IMAGE_CLASS_MAX] = {
         [IMAGE_SYSEXT] = {
                 .dot_directory_name = ".systemd-sysext",
@@ -72,6 +73,7 @@ static const struct {
                 .level_env = "SYSEXT_LEVEL",
                 .scope_env = "SYSEXT_SCOPE",
                 .name_env = "SYSTEMD_SYSEXT_HIERARCHIES",
+                .default_image_policy = &image_policy_sysext,
         },
         [IMAGE_CONFEXT] = {
                 .dot_directory_name = ".systemd-confext",
@@ -81,6 +83,7 @@ static const struct {
                 .level_env = "CONFEXT_LEVEL",
                 .scope_env = "CONFEXT_SCOPE",
                 .name_env = "SYSTEMD_CONFEXT_HIERARCHIES",
+                .default_image_policy = &image_policy_confext,
         }
 };
 
@@ -458,7 +461,7 @@ static const ImagePolicy *pick_image_policy(const Image *img) {
         if (in_initrd() && path_startswith(img->path, "/.extra/sysext/"))
                 return &image_policy_sysext_strict;
 
-        return &image_policy_sysext;
+        return image_class_info[img->class].default_image_policy;
 }
 
 static int merge_subprocess(Hashmap *images, const char *workspace) {
author	Mike Yuan <me@yhndnzj.com>	2023-04-13 00:14:30 +0800
committer	GitHub <noreply@github.com>	2023-04-13 00:14:30 +0800
commit	7581da99a104f31e49ea679eb352cb46a3a19383 (patch)
tree	525edb61b3d9ca4bc806da1d1b1847b7bfaf807d
parent	5a9e2dff473fe9c18f1425fd18ed7c16881b6997 (diff)
parent	4f25844a4bc5e20a0c734be6cdd605ed680c7d44 (diff)
download	systemd-7581da99a104f31e49ea679eb352cb46a3a19383.tar.gz