dissect: disallow empty partition tables

If we don't find a single useful partition table, refusing dissection.

(Except in systemd-dissect, when we are supposed to show DDI
information, in that case allow this to run and show general DDI
information, i.e. size, UUID and name at least)

1 files changed, 10 insertions, 0 deletions

diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c
index 9cc8d43147..97414d2c8f 100644
--- a/src/shared/dissect-image.c
+++ b/src/shared/dissect-image.c
@@ -1485,6 +1485,8 @@ static int dissect_image(
                 }
         }
 
+        bool any = false;
+
         /* After we discovered all partitions let's see if the verity requirements match the policy. (Note:
          * we don't check encryption requirements here, because we haven't probed the file system yet, hence
          * don't know if this is encrypted or not) */
@@ -1492,6 +1494,8 @@ static int dissect_image(
                 PartitionDesignator vi, si;
                 PartitionPolicyFlags found_flags;
 
+                any = any || m->partitions[di].found;
+
                 vi = partition_verity_of(di);
                 si = partition_verity_sig_of(di);
 
@@ -1513,6 +1517,9 @@ static int dissect_image(
                 }
         }
 
+        if (!any && !FLAGS_SET(flags, DISSECT_IMAGE_ALLOW_EMPTY))
+                return -ENOMSG;
+
         r = dissected_image_probe_filesystems(m, fd, policy);
         if (r < 0)
                 return r;
@@ -1605,6 +1612,9 @@ static int dissect_log_error(int r, const char *name, const VeritySettings *veri
         case -ERFKILL:
                 return log_error_errno(r, "%s: image does not match image policy.", name);
 
+        case -ENOMSG:
+                return log_error_errno(r, "%s: no suitable partitions found.", name);
+
         default:
                 return log_error_errno(r, "Failed to dissect image '%s': %m", name);
         }