diff options
-rw-r--r-- | src/core/execute.c | 2 | ||||
-rw-r--r-- | src/dissect/dissect.c | 2 | ||||
-rw-r--r-- | src/gpt-auto-generator/gpt-auto-generator.c | 8 | ||||
-rw-r--r-- | src/nspawn/nspawn.c | 23 | ||||
-rw-r--r-- | src/portable/portable.c | 2 | ||||
-rw-r--r-- | src/shared/discover-image.c | 7 | ||||
-rw-r--r-- | src/sysext/sysext.c | 6 |
7 files changed, 39 insertions, 11 deletions
diff --git a/src/core/execute.c b/src/core/execute.c index 35aea2f830..e791c31b27 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -3247,7 +3247,7 @@ static int apply_mount_namespace( propagate_dir, incoming_dir, root_dir || root_image ? params->notify_socket : NULL, - DISSECT_IMAGE_DISCARD_ON_LOOP|DISSECT_IMAGE_RELAX_VAR_CHECK|DISSECT_IMAGE_FSCK, + DISSECT_IMAGE_DISCARD_ON_LOOP|DISSECT_IMAGE_RELAX_VAR_CHECK|DISSECT_IMAGE_FSCK|DISSECT_IMAGE_USR_NO_ROOT, error_path); /* If we couldn't set up the namespace this is probably due to a missing capability. setup_namespace() reports diff --git a/src/dissect/dissect.c b/src/dissect/dissect.c index cb96a57abe..06808a231e 100644 --- a/src/dissect/dissect.c +++ b/src/dissect/dissect.c @@ -44,7 +44,7 @@ static const char *arg_image = NULL; static const char *arg_path = NULL; static const char *arg_source = NULL; static const char *arg_target = NULL; -static DissectImageFlags arg_flags = DISSECT_IMAGE_REQUIRE_ROOT|DISSECT_IMAGE_DISCARD_ON_LOOP|DISSECT_IMAGE_RELAX_VAR_CHECK|DISSECT_IMAGE_FSCK; +static DissectImageFlags arg_flags = DISSECT_IMAGE_REQUIRE_ROOT|DISSECT_IMAGE_DISCARD_ON_LOOP|DISSECT_IMAGE_RELAX_VAR_CHECK|DISSECT_IMAGE_FSCK|DISSECT_IMAGE_USR_NO_ROOT; static VeritySettings arg_verity_settings = VERITY_SETTINGS_DEFAULT; static JsonFormatFlags arg_json_format_flags = JSON_FORMAT_OFF; static PagerFlags arg_pager_flags = 0; diff --git a/src/gpt-auto-generator/gpt-auto-generator.c b/src/gpt-auto-generator/gpt-auto-generator.c index f9d0ca5421..dda9b18815 100644 --- a/src/gpt-auto-generator/gpt-auto-generator.c +++ b/src/gpt-auto-generator/gpt-auto-generator.c @@ -665,7 +665,13 @@ static int enumerate_partitions(dev_t devnum) { if (r <= 0) return r; - r = dissect_image(fd, NULL, NULL, DISSECT_IMAGE_GPT_ONLY|DISSECT_IMAGE_NO_UDEV, &m); + r = dissect_image( + fd, + NULL, NULL, + DISSECT_IMAGE_GPT_ONLY| + DISSECT_IMAGE_NO_UDEV| + DISSECT_IMAGE_USR_NO_ROOT, + &m); if (r == -ENOPKG) { log_debug_errno(r, "No suitable partition table found, ignoring."); return 0; diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index a4ac8ed2bb..00e2ba2654 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -3581,8 +3581,12 @@ static int outer_child( * makes sure ESP partitions and userns are compatible. */ r = dissected_image_mount_and_warn( - dissected_image, directory, arg_uid_shift, - DISSECT_IMAGE_MOUNT_ROOT_ONLY|DISSECT_IMAGE_DISCARD_ON_LOOP| + dissected_image, + directory, + arg_uid_shift, + DISSECT_IMAGE_MOUNT_ROOT_ONLY| + DISSECT_IMAGE_DISCARD_ON_LOOP| + DISSECT_IMAGE_USR_NO_ROOT| (arg_read_only ? DISSECT_IMAGE_READ_ONLY : DISSECT_IMAGE_FSCK)| (arg_start_mode == START_BOOT ? DISSECT_IMAGE_VALIDATE_OS : 0)); if (r < 0) @@ -3669,8 +3673,14 @@ static int outer_child( if (dissected_image) { /* Now we know the uid shift, let's now mount everything else that might be in the image. */ - r = dissected_image_mount(dissected_image, directory, arg_uid_shift, - DISSECT_IMAGE_MOUNT_NON_ROOT_ONLY|DISSECT_IMAGE_DISCARD_ON_LOOP|(arg_read_only ? DISSECT_IMAGE_READ_ONLY : DISSECT_IMAGE_FSCK)); + r = dissected_image_mount( + dissected_image, + directory, + arg_uid_shift, + DISSECT_IMAGE_MOUNT_NON_ROOT_ONLY| + DISSECT_IMAGE_DISCARD_ON_LOOP| + DISSECT_IMAGE_USR_NO_ROOT| + (arg_read_only ? DISSECT_IMAGE_READ_ONLY : DISSECT_IMAGE_FSCK)); if (r == -EUCLEAN) return log_error_errno(r, "File system check for image failed: %m"); if (r < 0) @@ -5378,7 +5388,10 @@ static int run(int argc, char *argv[]) { } } else { - DissectImageFlags dissect_image_flags = DISSECT_IMAGE_REQUIRE_ROOT | DISSECT_IMAGE_RELAX_VAR_CHECK; + DissectImageFlags dissect_image_flags = + DISSECT_IMAGE_REQUIRE_ROOT | + DISSECT_IMAGE_RELAX_VAR_CHECK | + DISSECT_IMAGE_USR_NO_ROOT; assert(arg_image); assert(!arg_template); diff --git a/src/portable/portable.c b/src/portable/portable.c index 6c09e8bbd4..aacc573ef6 100644 --- a/src/portable/portable.c +++ b/src/portable/portable.c @@ -380,7 +380,7 @@ static int portable_extract_by_path( if (r < 0) return log_debug_errno(r, "Failed to create temporary directory: %m"); - r = dissect_image(d->fd, NULL, NULL, DISSECT_IMAGE_READ_ONLY|DISSECT_IMAGE_REQUIRE_ROOT|DISSECT_IMAGE_DISCARD_ON_LOOP|DISSECT_IMAGE_RELAX_VAR_CHECK, &m); + r = dissect_image(d->fd, NULL, NULL, DISSECT_IMAGE_READ_ONLY|DISSECT_IMAGE_REQUIRE_ROOT|DISSECT_IMAGE_DISCARD_ON_LOOP|DISSECT_IMAGE_RELAX_VAR_CHECK|DISSECT_IMAGE_USR_NO_ROOT, &m); if (r == -ENOPKG) sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Couldn't identify a suitable partition table or file system in '%s'.", path); else if (r == -EADDRNOTAVAIL) diff --git a/src/shared/discover-image.c b/src/shared/discover-image.c index 79c4c70a41..a2f2261980 100644 --- a/src/shared/discover-image.c +++ b/src/shared/discover-image.c @@ -1198,7 +1198,12 @@ int image_read_metadata(Image *i) { if (r < 0) return r; - r = dissect_image(d->fd, NULL, NULL, DISSECT_IMAGE_REQUIRE_ROOT|DISSECT_IMAGE_RELAX_VAR_CHECK, &m); + r = dissect_image( + d->fd, + NULL, NULL, + DISSECT_IMAGE_REQUIRE_ROOT| + DISSECT_IMAGE_RELAX_VAR_CHECK| + DISSECT_IMAGE_USR_NO_ROOT, &m); if (r < 0) return r; diff --git a/src/sysext/sysext.c b/src/sysext/sysext.c index 9b1c4908a4..2ebb96c397 100644 --- a/src/sysext/sysext.c +++ b/src/sysext/sysext.c @@ -509,7 +509,11 @@ static int merge_subprocess(Hashmap *images, const char *workspace) { _cleanup_(loop_device_unrefp) LoopDevice *d = NULL; _cleanup_(decrypted_image_unrefp) DecryptedImage *di = NULL; _cleanup_(verity_settings_done) VeritySettings verity_settings = VERITY_SETTINGS_DEFAULT; - DissectImageFlags flags = DISSECT_IMAGE_READ_ONLY|DISSECT_IMAGE_REQUIRE_ROOT|DISSECT_IMAGE_MOUNT_ROOT_ONLY; + DissectImageFlags flags = + DISSECT_IMAGE_READ_ONLY| + DISSECT_IMAGE_REQUIRE_ROOT| + DISSECT_IMAGE_MOUNT_ROOT_ONLY| + DISSECT_IMAGE_USR_NO_ROOT; r = verity_settings_load(&verity_settings, img->path, NULL, NULL); if (r < 0) |