diff options
author | Mike Yuan <me@yhndnzj.com> | 2023-04-13 00:14:30 +0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-04-13 00:14:30 +0800 |
commit | 7581da99a104f31e49ea679eb352cb46a3a19383 (patch) | |
tree | 525edb61b3d9ca4bc806da1d1b1847b7bfaf807d | |
parent | 5a9e2dff473fe9c18f1425fd18ed7c16881b6997 (diff) | |
parent | 4f25844a4bc5e20a0c734be6cdd605ed680c7d44 (diff) | |
download | systemd-7581da99a104f31e49ea679eb352cb46a3a19383.tar.gz |
Merge pull request #27229 from poettering/dissect-policy-confext
dissect: follow-up for image policy merge
-rw-r--r-- | man/systemd-sysext.xml | 12 | ||||
-rw-r--r-- | src/shared/discover-image.c | 10 | ||||
-rw-r--r-- | src/shared/image-policy.c | 10 | ||||
-rw-r--r-- | src/shared/image-policy.h | 1 | ||||
-rw-r--r-- | src/sysext/sysext.c | 5 |
5 files changed, 26 insertions, 12 deletions
diff --git a/man/systemd-sysext.xml b/man/systemd-sysext.xml index a257fa73bc..6e164077e2 100644 --- a/man/systemd-sysext.xml +++ b/man/systemd-sysext.xml @@ -281,11 +281,13 @@ <listitem><para>Takes an image policy string as argument, as per <citerefentry><refentrytitle>systemd.image-policy</refentrytitle><manvolnum>7</manvolnum></citerefentry>. The policy is enforced when operating on system extension disk images. If not specified defaults to - <literal>root=verity+signed+encrypted+unprotected+absent:usr=verity+signed+encrypted+unprotected+absent</literal>, - i.e. only the root and <filename>/usr/</filename> file systems in the image are used. When run in the - initrd and operating on a system extension image stored in the <filename>/.extra/sysext/</filename> - directory a slightly stricter policy is used by default: - <literal>root=signed+absent:usr=signed+absent</literal>, see above for details.</para></listitem> + <literal>root=verity+signed+encrypted+unprotected+absent:usr=verity+signed+encrypted+unprotected+absent</literal> + for system extensions, i.e. only the root and <filename>/usr/</filename> file systems in the image + are used. For configuration extensions defaults to + <literal>root=verity+signed+encrypted+unprotected+absent</literal>. When run in the initrd and + operating on a system extension image stored in the <filename>/.extra/sysext/</filename> directory a + slightly stricter policy is used by default: <literal>root=signed+absent:usr=signed+absent</literal>, + see above for details.</para></listitem> </varlistentry> <xi:include href="standard-options.xml" xpointer="no-pager" /> diff --git a/src/shared/discover-image.c b/src/shared/discover-image.c index fac595f0d5..198c975c44 100644 --- a/src/shared/discover-image.c +++ b/src/shared/discover-image.c @@ -79,12 +79,10 @@ static const char* const image_search_path[_IMAGE_CLASS_MAX] = { static const char* const image_search_path_initrd[_IMAGE_CLASS_MAX] = { /* (entries that aren't listed here will get the same search path as for the non initrd-case) */ - [IMAGE_SYSEXT] = "/etc/extensions\0" /* only place symlinks here */ - "/run/extensions\0" /* and here too */ - "/var/lib/extensions\0" /* the main place for images */ - "/usr/local/lib/extensions\0" - "/usr/lib/extensions\0" - "/.extra/sysext\0" /* put sysext picked up by systemd-stub last, since not trusted */ + [IMAGE_SYSEXT] = "/etc/extensions\0" /* only place symlinks here */ + "/run/extensions\0" /* and here too */ + "/var/lib/extensions\0" /* the main place for images */ + "/.extra/sysext\0" /* put sysext picked up by systemd-stub last, since not trusted */ }; static Image *image_free(Image *i) { diff --git a/src/shared/image-policy.c b/src/shared/image-policy.c index 5baeac4c5d..8e27021b66 100644 --- a/src/shared/image-policy.c +++ b/src/shared/image-policy.c @@ -641,6 +641,16 @@ const ImagePolicy image_policy_sysext_strict = { .default_flags = PARTITION_POLICY_IGNORE, }; +const ImagePolicy image_policy_confext = { + /* For configuraiton extensions, honour root file system, and ignore everything else. After all, we + * are only interested in the /etc/ tree anyway, and that's really the only place it can be. */ + .n_policies = 1, + .policies = { + { PARTITION_ROOT, PARTITION_POLICY_VERITY|PARTITION_POLICY_SIGNED|PARTITION_POLICY_ENCRYPTED|PARTITION_POLICY_UNPROTECTED|PARTITION_POLICY_ABSENT }, + }, + .default_flags = PARTITION_POLICY_IGNORE, +}; + const ImagePolicy image_policy_container = { /* For systemd-nspawn containers we use all partitions, with the exception of swap */ .n_policies = 8, diff --git a/src/shared/image-policy.h b/src/shared/image-policy.h index a5e37642af..848b24c147 100644 --- a/src/shared/image-policy.h +++ b/src/shared/image-policy.h @@ -59,6 +59,7 @@ extern const ImagePolicy image_policy_deny; extern const ImagePolicy image_policy_ignore; extern const ImagePolicy image_policy_sysext; /* No verity required */ extern const ImagePolicy image_policy_sysext_strict; /* Signed verity required */ +extern const ImagePolicy image_policy_confext; /* No verity required */ extern const ImagePolicy image_policy_container; extern const ImagePolicy image_policy_service; extern const ImagePolicy image_policy_host; diff --git a/src/sysext/sysext.c b/src/sysext/sysext.c index 3fc6b910c4..df4092fea9 100644 --- a/src/sysext/sysext.c +++ b/src/sysext/sysext.c @@ -63,6 +63,7 @@ static const struct { const char *level_env; const char *scope_env; const char *name_env; + const ImagePolicy *default_image_policy; } image_class_info[_IMAGE_CLASS_MAX] = { [IMAGE_SYSEXT] = { .dot_directory_name = ".systemd-sysext", @@ -72,6 +73,7 @@ static const struct { .level_env = "SYSEXT_LEVEL", .scope_env = "SYSEXT_SCOPE", .name_env = "SYSTEMD_SYSEXT_HIERARCHIES", + .default_image_policy = &image_policy_sysext, }, [IMAGE_CONFEXT] = { .dot_directory_name = ".systemd-confext", @@ -81,6 +83,7 @@ static const struct { .level_env = "CONFEXT_LEVEL", .scope_env = "CONFEXT_SCOPE", .name_env = "SYSTEMD_CONFEXT_HIERARCHIES", + .default_image_policy = &image_policy_confext, } }; @@ -458,7 +461,7 @@ static const ImagePolicy *pick_image_policy(const Image *img) { if (in_initrd() && path_startswith(img->path, "/.extra/sysext/")) return &image_policy_sysext_strict; - return &image_policy_sysext; + return image_class_info[img->class].default_image_policy; } static int merge_subprocess(Hashmap *images, const char *workspace) { |