diff options
| -rw-r--r-- | man/systemd-sysext.xml | 5 | ||||
| -rw-r--r-- | src/shared/discover-image.c | 8 | ||||
| -rw-r--r-- | units/systemd-sysext.service | 2 |
3 files changed, 7 insertions, 8 deletions
diff --git a/man/systemd-sysext.xml b/man/systemd-sysext.xml index 39a16d8e8f..258c7142c9 100644 --- a/man/systemd-sysext.xml +++ b/man/systemd-sysext.xml @@ -84,9 +84,8 @@ them they may optionally carry Verity authentication information.</para> <para>System extensions are automatically looked for in the directories - <filename>/etc/extensions/</filename>, <filename>/run/extensions/</filename>, - <filename>/var/lib/extensions/</filename>, <filename>/usr/lib/extensions/</filename> and - <filename>/usr/local/lib/extensions/</filename>. The first two listed directories are not suitable for + <filename>/etc/extensions/</filename>, <filename>/run/extensions/</filename> and + <filename>/var/lib/extensions/</filename>. The first two listed directories are not suitable for carrying large binary images, however are still useful for carrying symlinks to them. The primary place for installing system extensions is <filename>/var/lib/extensions/</filename>. Any directories found in these search directories are considered directory based extension images, any files with the diff --git a/src/shared/discover-image.c b/src/shared/discover-image.c index fa018cb912..5873741c8c 100644 --- a/src/shared/discover-image.c +++ b/src/shared/discover-image.c @@ -58,11 +58,13 @@ static const char* const image_search_path[_IMAGE_CLASS_MAX] = { "/usr/local/lib/portables\0" "/usr/lib/portables\0", + /* Note that we don't allow storing extensions under /usr/, unlike with other image types. That's + * because extension images are supposed to extend /usr/, so you get into recursive races, especially + * with directory-based extensions, as the kernel's OverlayFS explicitly checks for this and errors + * out with -ELOOP if it finds that a lowerdir= is a child of another lowerdir=. */ [IMAGE_EXTENSION] = "/etc/extensions\0" /* only place symlinks here */ "/run/extensions\0" /* and here too */ - "/var/lib/extensions\0" /* the main place for images */ - "/usr/local/lib/extensions\0" - "/usr/lib/extensions\0", + "/var/lib/extensions\0", /* the main place for images */ }; static Image *image_free(Image *i) { diff --git a/units/systemd-sysext.service b/units/systemd-sysext.service index f8c26f5fbf..9a8d4ebc5f 100644 --- a/units/systemd-sysext.service +++ b/units/systemd-sysext.service @@ -15,8 +15,6 @@ ConditionCapability=CAP_SYS_ADMIN ConditionDirectoryNotEmpty=|/etc/extensions ConditionDirectoryNotEmpty=|/run/extensions ConditionDirectoryNotEmpty=|/var/lib/extensions -ConditionDirectoryNotEmpty=|/usr/local/lib/extensions -ConditionDirectoryNotEmpty=|/usr/lib/extensions DefaultDependencies=no After=local-fs.target |