dissect-image: let's lock down fstypes a bit

When we dissect images automatically, let's be a bit more conservative
with the file system types we are willing to mount: only mount common
file systems automatically.

Explicit mounts requested by admins should always be OK, but when we do
automatic mounts, let's not permit barely maintained, possibly legacy
file systems.

The list for now covers the four common writable and two common
read-only file systems. Sooner or later we might want to add more to the
list.

Also, it might make sense to eventually make this configurable via the
image dissection policy logic.

1 files changed, 9 insertions, 0 deletions

diff --git a/src/gpt-auto-generator/gpt-auto-generator.c b/src/gpt-auto-generator/gpt-auto-generator.c
index d697a9b362..1d626f2a5a 100644
--- a/src/gpt-auto-generator/gpt-auto-generator.c
+++ b/src/gpt-auto-generator/gpt-auto-generator.c
@@ -170,6 +170,15 @@ static int add_mount(
 
                 what = crypto_what;
                 fstype = NULL;
+        } else if (fstype) {
+                r = dissect_fstype_ok(fstype);
+                if (r < 0)
+                        return log_error_errno(r, "Unable to determine of dissected file system type '%s' is permitted: %m", fstype);
+                if (!r)
+                        return log_error_errno(
+                                        SYNTHETIC_ERRNO(EIDRM),
+                                        "Refusing to automatically mount uncommon file system '%s' to '%s'.",
+                                        fstype, where);
         }
 
         r = unit_name_from_path(where, ".mount", &unit);