1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00

Merge pull request #18018 from bluca/mount_images_overlay

Add ExtensionImages directive to form overlays
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2021-02-25 11:31:14 +01:00 committed by GitHub
commit 155d626bc6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
23 changed files with 921 additions and 167 deletions

View File

@ -2565,6 +2565,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s RootVerity = '...';
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly a(sba(ss)) ExtensionImages = [...];
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly a(ssba(ss)) MountImages = [...];
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly i OOMScoreAdjust = ...;
@ -3070,24 +3072,10 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
<!--property WorkingDirectory is not documented!-->
<!--property RootDirectory is not documented!-->
<!--property RootImage is not documented!-->
<!--property RootImageOptions is not documented!-->
<!--property RootHash is not documented!-->
<!--property RootHashPath is not documented!-->
<!--property RootHashSignature is not documented!-->
<!--property RootHashSignaturePath is not documented!-->
<!--property RootVerity is not documented!-->
<!--property MountImages is not documented!-->
<!--property OOMScoreAdjust is not documented!-->
<!--property CoredumpFilter is not documented!-->
@ -3656,6 +3644,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
<variablelist class="dbus-property" generated="True" extra-ref="RootVerity"/>
<variablelist class="dbus-property" generated="True" extra-ref="ExtensionImages"/>
<variablelist class="dbus-property" generated="True" extra-ref="MountImages"/>
<variablelist class="dbus-property" generated="True" extra-ref="OOMScoreAdjust"/>
@ -3978,6 +3968,17 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
<para><varname>ControlGroup</varname> indicates the control group path the processes of this service
unit are placed in.</para>
<para>The following properties map 1:1 to corresponding settings in the unit file:
<varname>RootDirectory</varname>
<varname>RootImage</varname>
<varname>RootImageOptions</varname>
<varname>RootVerity</varname>
<varname>RootHash</varname>
<varname>RootHashSignature</varname>
<varname>MountImages</varname>
<varname>ExtensionImages</varname>
see systemd.exec(5) for their meaning.</para>
</refsect2>
</refsect1>
@ -4325,6 +4326,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s RootVerity = '...';
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly a(sba(ss)) ExtensionImages = [...];
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly a(ssba(ss)) MountImages = [...];
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly i OOMScoreAdjust = ...;
@ -4858,24 +4861,10 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
<!--property WorkingDirectory is not documented!-->
<!--property RootDirectory is not documented!-->
<!--property RootImage is not documented!-->
<!--property RootImageOptions is not documented!-->
<!--property RootHash is not documented!-->
<!--property RootHashPath is not documented!-->
<!--property RootHashSignature is not documented!-->
<!--property RootHashSignaturePath is not documented!-->
<!--property RootVerity is not documented!-->
<!--property MountImages is not documented!-->
<!--property OOMScoreAdjust is not documented!-->
<!--property CoredumpFilter is not documented!-->
@ -5442,6 +5431,8 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
<variablelist class="dbus-property" generated="True" extra-ref="RootVerity"/>
<variablelist class="dbus-property" generated="True" extra-ref="ExtensionImages"/>
<variablelist class="dbus-property" generated="True" extra-ref="MountImages"/>
<variablelist class="dbus-property" generated="True" extra-ref="OOMScoreAdjust"/>
@ -6024,6 +6015,8 @@ node /org/freedesktop/systemd1/unit/home_2emount {
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s RootVerity = '...';
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly a(sba(ss)) ExtensionImages = [...];
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly a(ssba(ss)) MountImages = [...];
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly i OOMScoreAdjust = ...;
@ -6485,24 +6478,10 @@ node /org/freedesktop/systemd1/unit/home_2emount {
<!--property WorkingDirectory is not documented!-->
<!--property RootDirectory is not documented!-->
<!--property RootImage is not documented!-->
<!--property RootImageOptions is not documented!-->
<!--property RootHash is not documented!-->
<!--property RootHashPath is not documented!-->
<!--property RootHashSignature is not documented!-->
<!--property RootHashSignaturePath is not documented!-->
<!--property RootVerity is not documented!-->
<!--property MountImages is not documented!-->
<!--property OOMScoreAdjust is not documented!-->
<!--property CoredumpFilter is not documented!-->
@ -6987,6 +6966,8 @@ node /org/freedesktop/systemd1/unit/home_2emount {
<variablelist class="dbus-property" generated="True" extra-ref="RootVerity"/>
<variablelist class="dbus-property" generated="True" extra-ref="ExtensionImages"/>
<variablelist class="dbus-property" generated="True" extra-ref="MountImages"/>
<variablelist class="dbus-property" generated="True" extra-ref="OOMScoreAdjust"/>
@ -7690,6 +7671,8 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s RootVerity = '...';
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly a(sba(ss)) ExtensionImages = [...];
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly a(ssba(ss)) MountImages = [...];
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly i OOMScoreAdjust = ...;
@ -8137,24 +8120,10 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
<!--property WorkingDirectory is not documented!-->
<!--property RootDirectory is not documented!-->
<!--property RootImage is not documented!-->
<!--property RootImageOptions is not documented!-->
<!--property RootHash is not documented!-->
<!--property RootHashPath is not documented!-->
<!--property RootHashSignature is not documented!-->
<!--property RootHashSignaturePath is not documented!-->
<!--property RootVerity is not documented!-->
<!--property MountImages is not documented!-->
<!--property OOMScoreAdjust is not documented!-->
<!--property CoredumpFilter is not documented!-->
@ -8625,6 +8594,8 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
<variablelist class="dbus-property" generated="True" extra-ref="RootVerity"/>
<variablelist class="dbus-property" generated="True" extra-ref="ExtensionImages"/>
<variablelist class="dbus-property" generated="True" extra-ref="MountImages"/>
<variablelist class="dbus-property" generated="True" extra-ref="OOMScoreAdjust"/>

View File

@ -433,6 +433,48 @@
<xi:include href="system-only.xml" xpointer="singular"/></listitem>
</varlistentry>
<varlistentry>
<term><varname>ExtensionImages=</varname></term>
<listitem><para>This setting is similar to <varname>MountImages=</varname> in that it mounts a file
system hierarchy from a block device node or loopback file, but instead of providing a destination path,
an overlay will be set up. This option expects a whitespace separated list of mount definitions. Each
definition consists of a source path, optionally followed by a colon and a list of mount options.</para>
<para>A read-only OverlayFS will be set up on top of <filename>/usr/</filename> and
<filename>/opt/</filename> hierarchies from the root. The order in which the images are listed
will determine the order in which the overlay is laid down: images specified first to last will result
in overlayfs layers bottom to top.</para>
<para>Mount options may be defined as a single comma-separated list of options, in which case they
will be implicitly applied to the root partition on the image, or a series of colon-separated tuples
of partition name and mount options. Valid partition names and mount options are the same as for
<varname>RootImageOptions=</varname> setting described above.</para>
<para>Each mount definition may be prefixed with <literal>-</literal>, in which case it will be
ignored when its source path does not exist. The source argument is a path to a block device node or
regular file. If the source path contains a <literal>:</literal>, it needs to be escaped as
<literal>\:</literal>. The device node or file system image file needs to follow the same rules as
specified for <varname>RootImage=</varname>. Any mounts created with this option are specific to the
unit, and are not visible in the host's mount table.</para>
<para>These settings may be used more than once, each usage appends to the unit's list of image
paths. If the empty string is assigned, the entire list of mount paths defined prior to this is
reset.</para>
<para>When <varname>DevicePolicy=</varname> is set to <literal>closed</literal> or
<literal>strict</literal>, or set to <literal>auto</literal> and <varname>DeviceAllow=</varname> is
set, then this setting adds <filename>/dev/loop-control</filename> with <constant>rw</constant> mode,
<literal>block-loop</literal> and <literal>block-blkext</literal> with <constant>rwm</constant> mode
to <varname>DeviceAllow=</varname>. See
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for the details about <varname>DevicePolicy=</varname> or <varname>DeviceAllow=</varname>. Also, see
<varname>PrivateDevices=</varname> below, as it may change the setting of
<varname>DevicePolicy=</varname>.</para>
<xi:include href="system-only.xml" xpointer="singular"/></listitem>
</varlistentry>
</variablelist>
</refsect1>

View File

@ -996,6 +996,60 @@ static int property_get_mount_images(
return sd_bus_message_close_container(reply);
}
static int property_get_extension_images(
sd_bus *bus,
const char *path,
const char *interface,
const char *property,
sd_bus_message *reply,
void *userdata,
sd_bus_error *error) {
ExecContext *c = userdata;
int r;
assert(bus);
assert(c);
assert(property);
assert(reply);
r = sd_bus_message_open_container(reply, 'a', "(sba(ss))");
if (r < 0)
return r;
for (size_t i = 0; i < c->n_extension_images; i++) {
MountOptions *m;
r = sd_bus_message_open_container(reply, SD_BUS_TYPE_STRUCT, "sba(ss)");
if (r < 0)
return r;
r = sd_bus_message_append(
reply, "sb",
c->extension_images[i].source,
c->extension_images[i].ignore_enoent);
if (r < 0)
return r;
r = sd_bus_message_open_container(reply, 'a', "(ss)");
if (r < 0)
return r;
LIST_FOREACH(mount_options, m, c->extension_images[i].mount_options) {
r = sd_bus_message_append(reply, "(ss)",
partition_designator_to_string(m->partition_designator),
m->options);
if (r < 0)
return r;
}
r = sd_bus_message_close_container(reply);
if (r < 0)
return r;
r = sd_bus_message_close_container(reply);
if (r < 0)
return r;
}
return sd_bus_message_close_container(reply);
}
const sd_bus_vtable bus_exec_vtable[] = {
SD_BUS_VTABLE_START(0),
SD_BUS_PROPERTY("Environment", "as", NULL, offsetof(ExecContext, environment), SD_BUS_VTABLE_PROPERTY_CONST),
@ -1044,6 +1098,7 @@ const sd_bus_vtable bus_exec_vtable[] = {
SD_BUS_PROPERTY("RootHashSignature", "ay", property_get_root_hash_sig, 0, SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("RootHashSignaturePath", "s", NULL, offsetof(ExecContext, root_hash_sig_path), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("RootVerity", "s", NULL, offsetof(ExecContext, root_verity), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("ExtensionImages", "a(sba(ss))", property_get_extension_images, 0, SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("MountImages", "a(ssba(ss))", property_get_mount_images, 0, SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("OOMScoreAdjust", "i", property_get_oom_score_adjust, 0, SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("CoredumpFilter", "t", property_get_coredump_filter, 0, SD_BUS_VTABLE_PROPERTY_CONST),
@ -3356,6 +3411,7 @@ int bus_exec_context_set_transient_property(
.destination = destination,
.mount_options = options,
.ignore_enoent = permissive,
.type = MOUNT_IMAGE_DISCRETE,
});
if (r < 0)
return r;
@ -3389,6 +3445,95 @@ int bus_exec_context_set_transient_property(
mount_images = mount_image_free_many(mount_images, &n_mount_images);
return 1;
} else if (streq(name, "ExtensionImages")) {
_cleanup_free_ char *format_str = NULL;
MountImage *extension_images = NULL;
size_t n_extension_images = 0;
r = sd_bus_message_enter_container(message, 'a', "(sba(ss))");
if (r < 0)
return r;
for (;;) {
_cleanup_(mount_options_free_allp) MountOptions *options = NULL;
_cleanup_free_ char *source_escaped = NULL;
char *source, *tuple;
int permissive;
r = sd_bus_message_enter_container(message, 'r', "sba(ss)");
if (r < 0)
return r;
r = sd_bus_message_read(message, "sb", &source, &permissive);
if (r <= 0)
break;
if (!path_is_absolute(source))
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Source path %s is not absolute.", source);
if (!path_is_normalized(source))
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Source path %s is not normalized.", source);
/* Need to store them in the unit with the escapes, so that they can be parsed again */
source_escaped = shell_escape(source, ":");
if (!source_escaped)
return -ENOMEM;
tuple = strjoin(format_str,
format_str ? " " : "",
permissive ? "-" : "",
source_escaped);
if (!tuple)
return -ENOMEM;
free_and_replace(format_str, tuple);
r = bus_read_mount_options(message, error, &options, &format_str, ":");
if (r < 0)
return r;
r = sd_bus_message_exit_container(message);
if (r < 0)
return r;
r = mount_image_add(&extension_images, &n_extension_images,
&(MountImage) {
.source = source,
.mount_options = options,
.ignore_enoent = permissive,
.type = MOUNT_IMAGE_EXTENSION,
});
if (r < 0)
return r;
}
if (r < 0)
return r;
r = sd_bus_message_exit_container(message);
if (r < 0)
return r;
if (!UNIT_WRITE_FLAGS_NOOP(flags)) {
if (n_extension_images == 0) {
c->extension_images = mount_image_free_many(c->extension_images, &c->n_extension_images);
unit_write_settingf(u, flags, name, "%s=", name);
} else {
for (size_t i = 0; i < n_extension_images; ++i) {
r = mount_image_add(&c->extension_images, &c->n_extension_images, &extension_images[i]);
if (r < 0)
return r;
}
unit_write_settingf(u, flags|UNIT_ESCAPE_C|UNIT_ESCAPE_SPECIFIERS,
name,
"%s=%s",
name,
format_str);
}
}
extension_images = mount_image_free_many(extension_images, &n_extension_images);
return 1;
}

View File

@ -2018,6 +2018,9 @@ bool exec_needs_mount_namespace(
if (context->n_mount_images > 0)
return true;
if (context->n_extension_images > 0)
return true;
if (!IN_SET(context->mount_flags, 0, MS_SHARED))
return true;
@ -3235,6 +3238,8 @@ static int apply_mount_namespace(
context->root_hash, context->root_hash_size, context->root_hash_path,
context->root_hash_sig, context->root_hash_sig_size, context->root_hash_sig_path,
context->root_verity,
context->extension_images,
context->n_extension_images,
propagate_dir,
incoming_dir,
root_dir || root_image ? params->notify_socket : NULL,
@ -4821,6 +4826,7 @@ void exec_context_done(ExecContext *c) {
c->root_hash_sig_size = 0;
c->root_hash_sig_path = mfree(c->root_hash_sig_path);
c->root_verity = mfree(c->root_verity);
c->extension_images = mount_image_free_many(c->extension_images, &c->n_extension_images);
c->tty_path = mfree(c->tty_path);
c->syslog_identifier = mfree(c->syslog_identifier);
c->user = mfree(c->user);
@ -5663,6 +5669,19 @@ void exec_context_dump(const ExecContext *c, FILE* f, const char *prefix) {
strempty(o->options));
fprintf(f, "\n");
}
for (size_t i = 0; i < c->n_extension_images; i++) {
MountOptions *o;
fprintf(f, "%sExtensionImages: %s%s", prefix,
c->extension_images[i].ignore_enoent ? "-": "",
c->extension_images[i].source);
LIST_FOREACH(mount_options, o, c->extension_images[i].mount_options)
fprintf(f, ":%s:%s",
partition_designator_to_string(o->partition_designator),
strempty(o->options));
fprintf(f, "\n");
}
}
bool exec_context_maintains_privileges(const ExecContext *c) {

View File

@ -251,6 +251,8 @@ struct ExecContext {
size_t n_temporary_filesystems;
MountImage *mount_images;
size_t n_mount_images;
MountImage *extension_images;
size_t n_extension_images;
uint64_t capability_bounding_set;
uint64_t capability_ambient_set;

View File

@ -28,6 +28,7 @@ $1.RootImageOptions, config_parse_root_image_options,
$1.RootHash, config_parse_exec_root_hash, 0, offsetof($1, exec_context)
$1.RootHashSignature, config_parse_exec_root_hash_sig, 0, offsetof($1, exec_context)
$1.RootVerity, config_parse_unit_path_printf, true, offsetof($1, exec_context.root_verity)
$1.ExtensionImages, config_parse_extension_images, 0, offsetof($1, exec_context)
$1.MountImages, config_parse_mount_images, 0, offsetof($1, exec_context)
$1.User, config_parse_user_group_compat, 0, offsetof($1, exec_context.user)
$1.Group, config_parse_user_group_compat, 0, offsetof($1, exec_context.group)

View File

@ -5117,6 +5117,148 @@ int config_parse_mount_images(
.destination = dresolved,
.mount_options = options,
.ignore_enoent = permissive,
.type = MOUNT_IMAGE_DISCRETE,
});
if (r < 0)
return log_oom();
}
}
int config_parse_extension_images(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
ExecContext *c = data;
const Unit *u = userdata;
int r;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
if (isempty(rvalue)) {
/* Empty assignment resets the list */
c->extension_images = mount_image_free_many(c->extension_images, &c->n_extension_images);
return 0;
}
for (const char *p = rvalue;;) {
_cleanup_free_ char *source = NULL, *tuple = NULL, *sresolved = NULL;
_cleanup_(mount_options_free_allp) MountOptions *options = NULL;
bool permissive = false;
const char *q = NULL;
char *s = NULL;
r = extract_first_word(&p, &tuple, NULL, EXTRACT_UNQUOTE|EXTRACT_RETAIN_ESCAPE);
if (r == -ENOMEM)
return log_oom();
if (r < 0) {
log_syntax(unit, LOG_WARNING, filename, line, r,
"Invalid syntax %s=%s, ignoring: %m", lvalue, rvalue);
return 0;
}
if (r == 0)
return 0;
q = tuple;
r = extract_first_word(&q, &source, ":", EXTRACT_CUNESCAPE|EXTRACT_UNESCAPE_SEPARATORS);
if (r == -ENOMEM)
return log_oom();
if (r < 0) {
log_syntax(unit, LOG_WARNING, filename, line, r,
"Invalid syntax in %s=, ignoring: %s", lvalue, tuple);
return 0;
}
if (r == 0)
continue;
s = source;
if (s[0] == '-') {
permissive = true;
s++;
}
r = unit_full_printf(u, s, &sresolved);
if (r < 0) {
log_syntax(unit, LOG_WARNING, filename, line, r,
"Failed to resolve unit specifiers in \"%s\", ignoring: %m", s);
continue;
}
r = path_simplify_and_warn(sresolved, PATH_CHECK_ABSOLUTE, unit, filename, line, lvalue);
if (r < 0)
continue;
for (;;) {
_cleanup_free_ char *partition = NULL, *mount_options = NULL, *mount_options_resolved = NULL;
MountOptions *o = NULL;
PartitionDesignator partition_designator;
r = extract_many_words(&q, ":", EXTRACT_CUNESCAPE|EXTRACT_UNESCAPE_SEPARATORS, &partition, &mount_options, NULL);
if (r == -ENOMEM)
return log_oom();
if (r < 0) {
log_syntax(unit, LOG_WARNING, filename, line, r, "Invalid syntax, ignoring: %s", q);
return 0;
}
if (r == 0)
break;
/* Single set of options, applying to the root partition/single filesystem */
if (r == 1) {
r = unit_full_printf(u, partition, &mount_options_resolved);
if (r < 0) {
log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to resolve unit specifiers in %s, ignoring: %m", partition);
continue;
}
o = new(MountOptions, 1);
if (!o)
return log_oom();
*o = (MountOptions) {
.partition_designator = PARTITION_ROOT,
.options = TAKE_PTR(mount_options_resolved),
};
LIST_APPEND(mount_options, options, o);
break;
}
partition_designator = partition_designator_from_string(partition);
if (partition_designator < 0) {
log_syntax(unit, LOG_WARNING, filename, line, 0, "Invalid partition name %s, ignoring", partition);
continue;
}
r = unit_full_printf(u, mount_options, &mount_options_resolved);
if (r < 0) {
log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to resolve unit specifiers in %s, ignoring: %m", mount_options);
continue;
}
o = new(MountOptions, 1);
if (!o)
return log_oom();
*o = (MountOptions) {
.partition_designator = partition_designator,
.options = TAKE_PTR(mount_options_resolved),
};
LIST_APPEND(mount_options, options, o);
}
r = mount_image_add(&c->extension_images, &c->n_extension_images,
&(MountImage) {
.source = sresolved,
.mount_options = options,
.ignore_enoent = permissive,
.type = MOUNT_IMAGE_EXTENSION,
});
if (r < 0)
return log_oom();

View File

@ -138,6 +138,7 @@ CONFIG_PARSER_PROTOTYPE(config_parse_timeout_abort);
CONFIG_PARSER_PROTOTYPE(config_parse_swap_priority);
CONFIG_PARSER_PROTOTYPE(config_parse_mount_images);
CONFIG_PARSER_PROTOTYPE(config_parse_socket_timestamping);
CONFIG_PARSER_PROTOTYPE(config_parse_extension_images);
/* gperf prototypes */
const struct ConfigPerfItem* load_fragment_gperf_lookup(const char *key, GPERF_LEN_TYPE length);

View File

@ -11,6 +11,9 @@
#include "alloc-util.h"
#include "base-filesystem.h"
#include "dev-setup.h"
#include "env-util.h"
#include "escape.h"
#include "extension-release.h"
#include "fd-util.h"
#include "format-util.h"
#include "fs-util.h"
@ -24,6 +27,7 @@
#include "namespace-util.h"
#include "namespace.h"
#include "nulstr-util.h"
#include "os-util.h"
#include "path-util.h"
#include "selinux-util.h"
#include "socket-util.h"
@ -41,6 +45,7 @@
typedef enum MountMode {
/* This is ordered by priority! */
INACCESSIBLE,
OVERLAY_MOUNT,
MOUNT_IMAGES,
BIND_MOUNT,
BIND_MOUNT_RECURSIVE,
@ -57,6 +62,7 @@ typedef enum MountMode {
NOEXEC,
EXEC,
TMPFS,
EXTENSION_IMAGES, /* Mounted outside the root directory, and used by subsequent mounts */
READWRITE_IMPLICIT, /* Should have the lowest priority. */
_MOUNT_MODE_MAX,
} MountMode;
@ -205,6 +211,7 @@ static const MountEntry protect_system_strict_table[] = {
static const char * const mount_mode_table[_MOUNT_MODE_MAX] = {
[INACCESSIBLE] = "inaccessible",
[OVERLAY_MOUNT] = "overlay",
[BIND_MOUNT] = "bind",
[BIND_MOUNT_RECURSIVE] = "rbind",
[PRIVATE_TMP] = "private-tmp",
@ -392,6 +399,101 @@ static int append_mount_images(MountEntry **p, const MountImage *mount_images, s
return 0;
}
static int append_extension_images(
MountEntry **p,
const char *root,
const char *extension_dir,
char **hierarchies,
const MountImage *mount_images,
size_t n) {
_cleanup_strv_free_ char **overlays = NULL;
char **hierarchy;
int r;
assert(p);
assert(extension_dir);
if (n == 0)
return 0;
/* Prepare a list of overlays, that will have as each element a string suitable for being
* passed as a lowerdir= parameter, so start with the hierachy on the root.
* The overlays vector will have the same number of elements and will correspond to the
* hierarchies vector, so they can be iterated upon together. */
STRV_FOREACH(hierarchy, hierarchies) {
_cleanup_free_ char *prefixed_hierarchy = NULL;
prefixed_hierarchy = path_join(root, *hierarchy);
if (!prefixed_hierarchy)
return -ENOMEM;
r = strv_consume(&overlays, TAKE_PTR(prefixed_hierarchy));
if (r < 0)
return r;
}
/* First, prepare a mount for each image, but these won't be visible to the unit, instead
* they will be mounted in our propagate directory, and used as a source for the overlay. */
for (size_t i = 0; i < n; i++) {
_cleanup_free_ char *mount_point = NULL;
const MountImage *m = mount_images + i;
r = asprintf(&mount_point, "%s/%zu", extension_dir, i);
if (r < 0)
return -ENOMEM;
for (size_t j = 0; hierarchies && hierarchies[j]; ++j) {
_cleanup_free_ char *prefixed_hierarchy = NULL, *escaped = NULL, *lowerdir = NULL;
prefixed_hierarchy = path_join(mount_point, hierarchies[j]);
if (!prefixed_hierarchy)
return -ENOMEM;
escaped = shell_escape(prefixed_hierarchy, ",:");
if (!escaped)
return -ENOMEM;
/* Note that lowerdir= parameters are in 'reverse' order, so the
* top-most directory in the overlay comes first in the list. */
lowerdir = strjoin(escaped, ":", overlays[j]);
if (!lowerdir)
return -ENOMEM;
free_and_replace(overlays[j], lowerdir);
}
*((*p)++) = (MountEntry) {
.path_malloc = TAKE_PTR(mount_point),
.image_options = m->mount_options,
.ignore = m->ignore_enoent,
.source_const = m->source,
.mode = EXTENSION_IMAGES,
.has_prefix = true,
};
}
/* Then, for each hierarchy, prepare an overlay with the list of lowerdir= strings
* set up earlier. */
for (size_t i = 0; hierarchies && hierarchies[i]; ++i) {
_cleanup_free_ char *prefixed_hierarchy = NULL;
prefixed_hierarchy = path_join(root, hierarchies[i]);
if (!prefixed_hierarchy)
return -ENOMEM;
*((*p)++) = (MountEntry) {
.path_malloc = TAKE_PTR(prefixed_hierarchy),
.options_malloc = TAKE_PTR(overlays[i]),
.mode = OVERLAY_MOUNT,
.has_prefix = true,
.ignore = true, /* If the source image doesn't set the ignore bit it will fail earlier. */
};
}
return 0;
}
static int append_tmpfs_mounts(MountEntry **p, const TemporaryFileSystem *tmpfs, size_t n) {
assert(p);
@ -494,6 +596,12 @@ static int append_protect_system(MountEntry **p, ProtectSystem protect_system, b
static int mount_path_compare(const MountEntry *a, const MountEntry *b) {
int d;
/* EXTENSION_IMAGES will be used by other mounts as a base, so sort them first
* regardless of the prefix - they are set up in the propagate directory anyway */
d = -CMP(a->mode == EXTENSION_IMAGES, b->mode == EXTENSION_IMAGES);
if (d != 0)
return d;
/* If the paths are not equal, then order prefixes first */
d = path_compare(mount_entry_path(a), mount_entry_path(b));
if (d != 0)
@ -640,7 +748,8 @@ static void drop_outside_root(const char *root_directory, MountEntry *m, size_t
for (f = m, t = m; f < m + *n; f++) {
if (!path_startswith(mount_entry_path(f), root_directory)) {
/* ExtensionImages bases are opened in /run/systemd/unit-extensions on the host */
if (f->mode != EXTENSION_IMAGES && !path_startswith(mount_entry_path(f), root_directory)) {
log_debug("%s is outside of root directory.", mount_entry_path(f));
mount_entry_done(f);
continue;
@ -1003,12 +1112,28 @@ static int mount_run(const MountEntry *m) {
return mount_tmpfs(m);
}
static int mount_images(const MountEntry *m) {
static int mount_image(const MountEntry *m, const char *root_directory) {
_cleanup_free_ char *host_os_release_id = NULL, *host_os_release_version_id = NULL,
*host_os_release_sysext_level = NULL;
int r;
assert(m);
r = verity_dissect_and_mount(mount_entry_source(m), mount_entry_path(m), m->image_options);
if (m->mode == EXTENSION_IMAGES) {
r = parse_os_release(
empty_to_root(root_directory),
"ID", &host_os_release_id,
"VERSION_ID", &host_os_release_version_id,
"SYSEXT_LEVEL", &host_os_release_sysext_level,
NULL);
if (r < 0)
return log_debug_errno(r, "Failed to acquire 'os-release' data of OS tree '%s': %m", empty_to_root(root_directory));
}
r = verity_dissect_and_mount(
mount_entry_source(m), mount_entry_path(m), m->image_options,
host_os_release_id, host_os_release_version_id, host_os_release_sysext_level);
if (r == -ENOENT && m->ignore)
return 0;
if (r < 0)
@ -1017,6 +1142,25 @@ static int mount_images(const MountEntry *m) {
return 1;
}
static int mount_overlay(const MountEntry *m) {
const char *options;
int r;
assert(m);
options = strjoina("lowerdir=", mount_entry_options(m));
(void) mkdir_p_label(mount_entry_path(m), 0755);
r = mount_nofollow_verbose(LOG_DEBUG, "overlay", mount_entry_path(m), "overlay", MS_RDONLY, options);
if (r == -ENOENT && m->ignore)
return 0;
if (r < 0)
return r;
return 1;
}
static int follow_symlink(
const char *root_directory,
MountEntry *m) {
@ -1049,7 +1193,7 @@ static int follow_symlink(
return 0;
}
static int apply_mount(
static int apply_one_mount(
const char *root_directory,
MountEntry *m,
const NamespaceInfo *ns_info) {
@ -1173,7 +1317,13 @@ static int apply_mount(
return mount_run(m);
case MOUNT_IMAGES:
return mount_images(m);
return mount_image(m, NULL);
case EXTENSION_IMAGES:
return mount_image(m, root_directory);
case OVERLAY_MOUNT:
return mount_overlay(m);
default:
assert_not_reached("Unknown mode");
@ -1317,6 +1467,8 @@ static size_t namespace_calculate_mounts(
size_t n_bind_mounts,
size_t n_temporary_filesystems,
size_t n_mount_images,
size_t n_extension_images,
size_t n_hierarchies,
const char* tmp_dir,
const char* var_tmp_dir,
const char *creds_path,
@ -1350,6 +1502,7 @@ static size_t namespace_calculate_mounts(
strv_length(empty_directories) +
n_bind_mounts +
n_mount_images +
(n_extension_images > 0 ? n_hierarchies + n_extension_images : 0) + /* Mount each image plus an overlay per hierarchy */
n_temporary_filesystems +
ns_info->private_dev +
(ns_info->protect_kernel_tunables ? ELEMENTSOF(protect_kernel_tunables_table) : 0) +
@ -1378,6 +1531,111 @@ static void normalize_mounts(const char *root_directory, MountEntry *mounts, siz
drop_nop(mounts, n_mounts);
}
static int apply_mounts(
const char *root,
const NamespaceInfo *ns_info,
MountEntry *mounts,
size_t *n_mounts,
char **error_path) {
_cleanup_fclose_ FILE *proc_self_mountinfo = NULL;
_cleanup_free_ char **deny_list = NULL;
size_t j;
int r;
if (n_mounts == 0) /* Shortcut: nothing to do */
return 0;
assert(root);
assert(mounts);
assert(n_mounts);
/* Open /proc/self/mountinfo now as it may become unavailable if we mount anything on top of
* /proc. For example, this is the case with the option: 'InaccessiblePaths=/proc'. */
proc_self_mountinfo = fopen("/proc/self/mountinfo", "re");
if (!proc_self_mountinfo) {
if (error_path)
*error_path = strdup("/proc/self/mountinfo");
return log_debug_errno(errno, "Failed to open /proc/self/mountinfo: %m");
}
/* First round, establish all mounts we need */
for (;;) {
bool again = false;
for (MountEntry *m = mounts; m < mounts + *n_mounts; ++m) {
if (m->applied)
continue;
/* ExtensionImages are first opened in the propagate directory, not in the root_directory */
r = follow_symlink(m->mode != EXTENSION_IMAGES ? root : NULL, m);
if (r < 0) {
if (error_path && mount_entry_path(m))
*error_path = strdup(mount_entry_path(m));
return r;
}
if (r == 0) {
/* We hit a symlinked mount point. The entry got rewritten and might
* point to a very different place now. Let's normalize the changed
* list, and start from the beginning. After all to mount the entry
* at the new location we might need some other mounts first */
again = true;
break;
}
r = apply_one_mount(root, m, ns_info);
if (r < 0) {
if (error_path && mount_entry_path(m))
*error_path = strdup(mount_entry_path(m));
return r;
}
m->applied = true;
}
if (!again)
break;
normalize_mounts(root, mounts, n_mounts);
}
/* Create a deny list we can pass to bind_mount_recursive() */
deny_list = new(char*, (*n_mounts)+1);
if (!deny_list)
return -ENOMEM;
for (j = 0; j < *n_mounts; j++)
deny_list[j] = (char*) mount_entry_path(mounts+j);
deny_list[j] = NULL;
/* Second round, flip the ro bits if necessary. */
for (MountEntry *m = mounts; m < mounts + *n_mounts; ++m) {
r = make_read_only(m, deny_list, proc_self_mountinfo);
if (r < 0) {
if (error_path && mount_entry_path(m))
*error_path = strdup(mount_entry_path(m));
return r;
}
}
/* Third round, flip the noexec bits with a simplified deny list. */
for (j = 0; j < *n_mounts; j++)
if (IN_SET((mounts+j)->mode, EXEC, NOEXEC))
deny_list[j] = (char*) mount_entry_path(mounts+j);
deny_list[j] = NULL;
for (MountEntry *m = mounts; m < mounts + *n_mounts; ++m) {
r = make_noexec(m, deny_list, proc_self_mountinfo);
if (r < 0) {
if (error_path && mount_entry_path(m))
*error_path = strdup(mount_entry_path(m));
return r;
}
}
return 1;
}
static bool root_read_only(
char **read_only_paths,
ProtectSystem protect_system) {
@ -1514,6 +1772,8 @@ int setup_namespace(
size_t root_hash_sig_size,
const char *root_hash_sig_path,
const char *verity_data_path,
const MountImage *extension_images,
size_t n_extension_images,
const char *propagate_dir,
const char *incoming_dir,
const char *notify_socket,
@ -1524,9 +1784,10 @@ int setup_namespace(
_cleanup_(decrypted_image_unrefp) DecryptedImage *decrypted_image = NULL;
_cleanup_(dissected_image_unrefp) DissectedImage *dissected_image = NULL;
_cleanup_(verity_settings_done) VeritySettings verity = VERITY_SETTINGS_DEFAULT;
_cleanup_strv_free_ char **hierarchies = NULL;
MountEntry *m = NULL, *mounts = NULL;
bool require_prefix = false, setup_propagate = false;
const char *root;
const char *root, *extension_dir = "/run/systemd/unit-extensions";
size_t n_mounts;
int r;
@ -1607,6 +1868,12 @@ int setup_namespace(
require_prefix = true;
}
if (n_extension_images > 0) {
r = parse_env_extension_hierarchies(&hierarchies);
if (r < 0)
return r;
}
n_mounts = namespace_calculate_mounts(
ns_info,
read_write_paths,
@ -1618,6 +1885,8 @@ int setup_namespace(
n_bind_mounts,
n_temporary_filesystems,
n_mount_images,
n_extension_images,
strv_length(hierarchies),
tmp_dir, var_tmp_dir,
creds_path,
log_namespace,
@ -1685,6 +1954,10 @@ int setup_namespace(
if (r < 0)
goto finish;
r = append_extension_images(&m, root, extension_dir, hierarchies, extension_images, n_extension_images);
if (r < 0)
goto finish;
if (ns_info->private_dev)
*(m++) = (MountEntry) {
.path_const = "/dev",
@ -1844,6 +2117,12 @@ int setup_namespace(
if (setup_propagate)
(void) mkdir_p(propagate_dir, 0600);
if (n_extension_images > 0) {
/* ExtensionImages mountpoint directories will be created
* while parsing the mounts to create, so have the parent ready */
(void) mkdir_p(extension_dir, 0600);
}
/* Remount / as SLAVE so that nothing now mounted in the namespace
* shows up in the parent */
if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL) < 0) {
@ -1894,96 +2173,10 @@ int setup_namespace(
if (root_image || root_directory)
(void) base_filesystem_create(root, UID_INVALID, GID_INVALID);
if (n_mounts > 0) {
_cleanup_fclose_ FILE *proc_self_mountinfo = NULL;
_cleanup_free_ char **deny_list = NULL;
size_t j;
/* Open /proc/self/mountinfo now as it may become unavailable if we mount anything on top of
* /proc. For example, this is the case with the option: 'InaccessiblePaths=/proc'. */
proc_self_mountinfo = fopen("/proc/self/mountinfo", "re");
if (!proc_self_mountinfo) {
r = log_debug_errno(errno, "Failed to open /proc/self/mountinfo: %m");
if (error_path)
*error_path = strdup("/proc/self/mountinfo");
goto finish;
}
/* First round, establish all mounts we need */
for (;;) {
bool again = false;
for (m = mounts; m < mounts + n_mounts; ++m) {
if (m->applied)
continue;
r = follow_symlink(root, m);
if (r < 0) {
if (error_path && mount_entry_path(m))
*error_path = strdup(mount_entry_path(m));
goto finish;
}
if (r == 0) {
/* We hit a symlinked mount point. The entry got rewritten and might
* point to a very different place now. Let's normalize the changed
* list, and start from the beginning. After all to mount the entry
* at the new location we might need some other mounts first */
again = true;
break;
}
r = apply_mount(root, m, ns_info);
if (r < 0) {
if (error_path && mount_entry_path(m))
*error_path = strdup(mount_entry_path(m));
goto finish;
}
m->applied = true;
}
if (!again)
break;
normalize_mounts(root, mounts, &n_mounts);
}
/* Create a deny list we can pass to bind_mount_recursive() */
deny_list = new(char*, n_mounts+1);
if (!deny_list) {
r = -ENOMEM;
goto finish;
}
for (j = 0; j < n_mounts; j++)
deny_list[j] = (char*) mount_entry_path(mounts+j);
deny_list[j] = NULL;
/* Second round, flip the ro bits if necessary. */
for (m = mounts; m < mounts + n_mounts; ++m) {
r = make_read_only(m, deny_list, proc_self_mountinfo);
if (r < 0) {
if (error_path && mount_entry_path(m))
*error_path = strdup(mount_entry_path(m));
goto finish;
}
}
/* Third round, flip the noexec bits with a simplified deny list. */
for (m = mounts, j = 0; m < mounts + n_mounts; ++m)
if (IN_SET(m->mode, EXEC, NOEXEC))
deny_list[j++] = (char*) mount_entry_path(m);
deny_list[j] = NULL;
for (m = mounts; m < mounts + n_mounts; ++m) {
r = make_noexec(m, deny_list, proc_self_mountinfo);
if (r < 0) {
if (error_path && mount_entry_path(m))
*error_path = strdup(mount_entry_path(m));
goto finish;
}
}
}
/* Now make the magic happen */
r = apply_mounts(root, ns_info, mounts, &n_mounts, error_path);
if (r < 0)
goto finish;
/* MS_MOVE does not work on MS_SHARED so the remount MS_SHARED will be done later */
r = mount_move_root(root);
@ -2096,9 +2289,11 @@ int mount_image_add(MountImage **m, size_t *n, const MountImage *item) {
if (!s)
return -ENOMEM;
d = strdup(item->destination);
if (!d)
return -ENOMEM;
if (item->destination) {
d = strdup(item->destination);
if (!d)
return -ENOMEM;
}
LIST_FOREACH(mount_options, i, item->mount_options) {
_cleanup_(mount_options_free_allp) MountOptions *o;
@ -2128,6 +2323,7 @@ int mount_image_add(MountImage **m, size_t *n, const MountImage *item) {
.destination = TAKE_PTR(d),
.mount_options = TAKE_PTR(options),
.ignore_enoent = item->ignore_enoent,
.type = item->type,
};
return 0;

View File

@ -93,11 +93,19 @@ struct TemporaryFileSystem {
char *options;
};
typedef enum MountImageType {
MOUNT_IMAGE_DISCRETE,
MOUNT_IMAGE_EXTENSION,
_MOUNT_IMAGE_TYPE_MAX,
_MOUNT_IMAGE_TYPE_INVALID = -EINVAL,
} MountImageType;
struct MountImage {
char *source;
char *destination;
char *destination; /* Unused if MountImageType == MOUNT_IMAGE_EXTENSION */
LIST_HEAD(MountOptions, mount_options);
bool ignore_enoent;
MountImageType type;
};
int setup_namespace(
@ -129,6 +137,8 @@ int setup_namespace(
size_t root_hash_sig_size,
const char *root_hash_sig_path,
const char *root_verity,
const MountImage *extension_images,
size_t n_extension_images,
const char *propagate_dir,
const char *incoming_dir,
const char *notify_socket,

View File

@ -1766,6 +1766,110 @@ static int bus_append_execute_property(sd_bus_message *m, const char *field, con
return 1;
}
if (streq(field, "ExtensionImages")) {
const char *p = eq;
r = sd_bus_message_open_container(m, SD_BUS_TYPE_STRUCT, "sv");
if (r < 0)
return bus_log_create_error(r);
r = sd_bus_message_append_basic(m, SD_BUS_TYPE_STRING, field);
if (r < 0)
return bus_log_create_error(r);
r = sd_bus_message_open_container(m, 'v', "a(sba(ss))");
if (r < 0)
return bus_log_create_error(r);
r = sd_bus_message_open_container(m, 'a', "(sba(ss))");
if (r < 0)
return bus_log_create_error(r);
for (;;) {
_cleanup_free_ char *source = NULL, *tuple = NULL;
const char *q = NULL, *s = NULL;
bool permissive = false;
r = extract_first_word(&p, &tuple, NULL, EXTRACT_UNQUOTE|EXTRACT_RETAIN_ESCAPE);
if (r < 0)
return r;
if (r == 0)
break;
q = tuple;
r = extract_first_word(&q, &source, ":", EXTRACT_CUNESCAPE|EXTRACT_UNESCAPE_SEPARATORS);
if (r < 0)
return r;
if (r == 0)
continue;
s = source;
if (s[0] == '-') {
permissive = true;
s++;
}
r = sd_bus_message_open_container(m, 'r', "sba(ss)");
if (r < 0)
return bus_log_create_error(r);
r = sd_bus_message_append(m, "sb", s, permissive);
if (r < 0)
return bus_log_create_error(r);
r = sd_bus_message_open_container(m, 'a', "(ss)");
if (r < 0)
return bus_log_create_error(r);
for (;;) {
_cleanup_free_ char *partition = NULL, *mount_options = NULL;
r = extract_many_words(&q, ":", EXTRACT_CUNESCAPE|EXTRACT_UNESCAPE_SEPARATORS, &partition, &mount_options, NULL);
if (r < 0)
return r;
if (r == 0)
break;
/* Single set of options, applying to the root partition/single filesystem */
if (r == 1) {
r = sd_bus_message_append(m, "(ss)", "root", partition);
if (r < 0)
return bus_log_create_error(r);
break;
}
if (partition_designator_from_string(partition) < 0)
return bus_log_create_error(-EINVAL);
r = sd_bus_message_append(m, "(ss)", partition, mount_options);
if (r < 0)
return bus_log_create_error(r);
}
r = sd_bus_message_close_container(m);
if (r < 0)
return bus_log_create_error(r);
r = sd_bus_message_close_container(m);
if (r < 0)
return bus_log_create_error(r);
}
r = sd_bus_message_close_container(m);
if (r < 0)
return bus_log_create_error(r);
r = sd_bus_message_close_container(m);
if (r < 0)
return bus_log_create_error(r);
r = sd_bus_message_close_container(m);
if (r < 0)
return bus_log_create_error(r);
return 1;
}
return 0;
}

View File

@ -27,6 +27,7 @@
#include "dissect-image.h"
#include "dm-util.h"
#include "env-file.h"
#include "extension-release.h"
#include "fd-util.h"
#include "fileio.h"
#include "fs-util.h"
@ -2621,7 +2622,14 @@ static const char *const partition_designator_table[] = {
[PARTITION_VAR] = "var",
};
int verity_dissect_and_mount(const char *src, const char *dest, const MountOptions *options) {
int verity_dissect_and_mount(
const char *src,
const char *dest,
const MountOptions *options,
const char *required_host_os_release_id,
const char *required_host_os_release_version_id,
const char *required_host_os_release_sysext_level) {
_cleanup_(loop_device_unrefp) LoopDevice *loop_device = NULL;
_cleanup_(decrypted_image_unrefp) DecryptedImage *decrypted_image = NULL;
_cleanup_(dissected_image_unrefp) DissectedImage *dissected_image = NULL;
@ -2683,6 +2691,30 @@ int verity_dissect_and_mount(const char *src, const char *dest, const MountOptio
if (r < 0)
return log_debug_errno(r, "Failed to mount image: %m");
/* If we got os-release values from the caller, then we need to match them with the image's
* extension-release.d/ content. Return -EINVAL if there's any mismatch.
* First, check the distro ID. If that matches, then check the new SYSEXT_LEVEL value if
* available, or else fallback to VERSION_ID. */
if (required_host_os_release_id &&
(required_host_os_release_version_id || required_host_os_release_sysext_level)) {
_cleanup_strv_free_ char **extension_release = NULL;
r = load_extension_release_pairs(dest, dissected_image->image_name, &extension_release);
if (r < 0)
return log_debug_errno(r, "Failed to parse image %s extension-release metadata: %m", dissected_image->image_name);
r = extension_release_validate(
dissected_image->image_name,
required_host_os_release_id,
required_host_os_release_version_id,
required_host_os_release_sysext_level,
extension_release);
if (r == 0)
return log_debug_errno(SYNTHETIC_ERRNO(ESTALE), "Image %s extension-release metadata does not match the root's", dissected_image->image_name);
if (r < 0)
return log_debug_errno(r, "Failed to compare image %s extension-release metadata with the root's os-release: %m", dissected_image->image_name);
}
if (decrypted_image) {
r = decrypted_image_relinquish(decrypted_image);
if (r < 0)

View File

@ -164,4 +164,4 @@ bool dissected_image_has_verity(const DissectedImage *image, PartitionDesignator
int mount_image_privately_interactively(const char *path, DissectImageFlags flags, char **ret_directory, LoopDevice **ret_loop_device, DecryptedImage **ret_decrypted_image);
int verity_dissect_and_mount(const char *src, const char *dest, const MountOptions *options);
int verity_dissect_and_mount(const char *src, const char *dest, const MountOptions *options, const char *required_host_os_release_id, const char *required_host_os_release_version_id, const char *required_host_os_release_sysext_level);

View File

@ -77,3 +77,18 @@ int extension_release_validate(
log_debug("Version info of extension '%s' matches host.", name);
return 1;
}
int parse_env_extension_hierarchies(char ***ret_hierarchies) {
int r;
r = getenv_path_list("SYSTEMD_SYSEXT_HIERARCHIES", ret_hierarchies);
if (r < 0)
return log_debug_errno(r, "Failed to parse SYSTEMD_SYSEXT_HIERARCHIES environment variable : %m");
if (!*ret_hierarchies) {
*ret_hierarchies = strv_new("/usr", "/opt");
if (!*ret_hierarchies)
return -ENOMEM;
}
return 0;
}

View File

@ -10,3 +10,6 @@ int extension_release_validate(
const char *host_os_release_version_id,
const char *host_os_release_sysext_level,
char **extension_release);
/* Parse SYSTEMD_SYSEXT_HIERARCHIES and if not set, return "/usr /opt" */
int parse_env_extension_hierarchies(char ***ret_hierarchies);

View File

@ -855,7 +855,7 @@ static int mount_in_namespace(
mount_tmp_created = true;
if (is_image)
r = verity_dissect_and_mount(chased_src, mount_tmp, options);
r = verity_dissect_and_mount(chased_src, mount_tmp, options, NULL, NULL, NULL);
else
r = mount_follow_verbose(LOG_DEBUG, chased_src, mount_tmp, NULL, MS_BIND, NULL);
if (r < 0)

View File

@ -982,16 +982,10 @@ static int run(int argc, char *argv[]) {
/* For debugging purposes it might make sense to do this for other hierarchies than /usr/ and
* /opt/, but let's make that a hacker/debugging feature, i.e. env var instead of cmdline
* switch. */
r = getenv_path_list("SYSTEMD_SYSEXT_HIERARCHIES", &arg_hierarchies);
r = parse_env_extension_hierarchies(&arg_hierarchies);
if (r < 0)
return log_error_errno(r, "Failed to parse $SYSTEMD_SYSEXT_HIERARCHIES environment variable: %m");
if (!arg_hierarchies) {
arg_hierarchies = strv_new("/usr", "/opt");
if (!arg_hierarchies)
return log_oom();
}
return sysext_main(argc, argv);
}

View File

@ -175,6 +175,8 @@ static void test_protect_kernel_logs(void) {
NULL,
NULL,
NULL,
0,
NULL,
NULL,
NULL,
0,

View File

@ -103,6 +103,8 @@ int main(int argc, char *argv[]) {
NULL,
NULL,
NULL,
0,
NULL,
NULL,
NULL,
0,

View File

@ -9,6 +9,8 @@ TEST_INSTALL_VERITY_MINIMAL=1
. $TEST_BASE_DIR/test-functions
command -v mksquashfs >/dev/null 2>&1 || exit 0
command -v veritysetup >/dev/null 2>&1 || exit 0
command -v sfdisk >/dev/null 2>&1 || exit 0
# Need loop devices for systemd-dissect
@ -17,6 +19,7 @@ test_append_files() {
instmods loop =block
instmods squashfs =squashfs
instmods dm_verity =md
instmods overlay =overlayfs
install_dmevent
generate_module_dependencies
inst_binary losetup

View File

@ -206,6 +206,7 @@ RootImage=
RootHash=
RootHashSignature=
RootVerity=
ExtensionImages=
RuntimeMaxSec=
SELinuxContextFromNet=
SecureBits=

View File

@ -480,18 +480,20 @@ install_verity_minimal() {
BASICTOOLS=(
bash
cat
grep
mount
sleep
)
oldinitdir=$initdir
rm -rfv $TESTDIR/minimal
export initdir=$TESTDIR/minimal
mkdir -p $initdir/usr/lib/systemd/system $initdir/etc
mkdir -p $initdir/usr/lib/systemd/system $initdir/usr/lib/extension-release.d $initdir/etc $initdir/var/tmp $initdir/opt
setup_basic_dirs
install_basic_tools
cp $os_release $initdir/usr/lib/os-release
ln -s ../usr/lib/os-release $initdir/etc/os-release
touch $initdir/etc/machine-id $initdir/etc/resolv.conf
touch $initdir/opt/some_file
echo MARKER=1 >> $initdir/usr/lib/os-release
echo -e "[Service]\nExecStartPre=cat /usr/lib/os-release\nExecStart=sleep 120" > $initdir/usr/lib/systemd/system/app0.service
cp $initdir/usr/lib/systemd/system/app0.service $initdir/usr/lib/systemd/system/app0-foo.service
@ -507,6 +509,52 @@ install_verity_minimal() {
mksquashfs $initdir $oldinitdir/usr/share/minimal_1.raw
veritysetup format $oldinitdir/usr/share/minimal_1.raw $oldinitdir/usr/share/minimal_1.verity | \
grep '^Root hash:' | cut -f2 | tr -d '\n' > $oldinitdir/usr/share/minimal_1.roothash
# Rolling distros like Arch do not set VERSION_ID
local version_id=""
if grep -q "^VERSION_ID=" $os_release; then
version_id="$(grep "^VERSION_ID=" $os_release)"
fi
export initdir=$TESTDIR/app0
mkdir -p $initdir/usr/lib/extension-release.d $initdir/usr/lib/systemd/system $initdir/opt
grep "^ID=" $os_release > $initdir/usr/lib/extension-release.d/extension-release.app0
echo "${version_id}" >> $initdir/usr/lib/extension-release.d/extension-release.app0
cat <<EOF > $initdir/usr/lib/systemd/system/app0.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/opt/script0.sh
EOF
cat <<EOF > $initdir/opt/script0.sh
#!/bin/bash
set -e
test -e /usr/lib/os-release
cat /usr/lib/extension-release.d/extension-release.app0
EOF
chmod +x $initdir/opt/script0.sh
echo MARKER=1 > $initdir/usr/lib/systemd/system/some_file
mksquashfs $initdir $oldinitdir/usr/share/app0.raw
export initdir=$TESTDIR/app1
mkdir -p $initdir/usr/lib/extension-release.d $initdir/usr/lib/systemd/system $initdir/opt
grep "^ID=" $os_release > $initdir/usr/lib/extension-release.d/extension-release.app1
echo "${version_id}" >> $initdir/usr/lib/extension-release.d/extension-release.app1
cat <<EOF > $initdir/usr/lib/systemd/system/app1.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/opt/script1.sh
EOF
cat <<EOF > $initdir/opt/script1.sh
#!/bin/bash
set -e
test -e /usr/lib/os-release
cat /usr/lib/extension-release.d/extension-release.app1
EOF
chmod +x $initdir/opt/script1.sh
echo MARKER=1 > $initdir/usr/lib/systemd/system/other_file
mksquashfs $initdir $oldinitdir/usr/share/app1.raw
)
}

View File

@ -227,6 +227,27 @@ done
systemctl is-active testservice-50d.service
# ExtensionImages will set up an overlay
systemd-run -t --property ExtensionImages=/usr/share/app0.raw --property RootImage=${image}.raw cat /opt/script0.sh | grep -q -F "extension-release.app0"
systemd-run -t --property ExtensionImages=/usr/share/app0.raw --property RootImage=${image}.raw cat /usr/lib/systemd/system/some_file | grep -q -F "MARKER=1"
systemd-run -t --property ExtensionImages="/usr/share/app0.raw /usr/share/app1.raw" --property RootImage=${image}.raw cat /opt/script0.sh | grep -q -F "extension-release.app0"
systemd-run -t --property ExtensionImages="/usr/share/app0.raw /usr/share/app1.raw" --property RootImage=${image}.raw cat /usr/lib/systemd/system/some_file | grep -q -F "MARKER=1"
systemd-run -t --property ExtensionImages="/usr/share/app0.raw /usr/share/app1.raw" --property RootImage=${image}.raw cat /opt/script1.sh | grep -q -F "extension-release.app1"
systemd-run -t --property ExtensionImages="/usr/share/app0.raw /usr/share/app1.raw" --property RootImage=${image}.raw cat /usr/lib/systemd/system/other_file | grep -q -F "MARKER=1"
cat >/run/systemd/system/testservice-50e.service <<EOF
[Service]
MountAPIVFS=yes
TemporaryFileSystem=/run
RootImage=${image}.raw
ExtensionImages=/usr/share/app0.raw /usr/share/app1.raw:nosuid
ExecStart=/bin/bash -c '/opt/script0.sh | grep ID'
ExecStart=/bin/bash -c '/opt/script1.sh | grep ID'
Type=oneshot
RemainAfterExit=yes
EOF
systemctl start testservice-50e.service
systemctl is-active testservice-50e.service
echo OK >/testok
exit 0