mirror of
https://github.com/systemd/systemd.git
synced 2025-01-20 18:04:03 +03:00
Merge pull request #24883 from bluca/extrel_force
portable: allow caller to override extension-release name check
This commit is contained in:
commit
5762dbfad6
@ -307,13 +307,16 @@ node /org/freedesktop/portable1 {
|
||||
<para>The <function>AttachImageWithExtensions()</function>,
|
||||
<function>DetachImageWithExtensions()</function> and
|
||||
<function>ReattachImageWithExtensions()</function> methods take in options as flags instead of
|
||||
booleans to allow for extendability. <varname>SD_SYSTEMD_PORTABLE_FORCE</varname> will cause
|
||||
booleans to allow for extendability. <varname>SD_SYSTEMD_PORTABLE_FORCE_ATTACH</varname> will cause
|
||||
safety checks that ensure the units are not running while the new image is attached or detached
|
||||
to be skipped. They are defined as follows:</para>
|
||||
to be skipped. <varname>SD_SYSTEMD_PORTABLE_FORCE_SYSEXT</varname> will cause the check that the
|
||||
<filename>extension-release.<replaceable>NAME</replaceable></filename> file in the extension image
|
||||
matches the image name to be skipped. They are defined as follows:</para>
|
||||
|
||||
<programlisting>
|
||||
#define SD_SYSTEMD_PORTABLE_RUNTIME (UINT64_C(1) << 0)
|
||||
#define SD_SYSTEMD_PORTABLE_FORCE (UINT64_C(1) << 1)
|
||||
#define SD_SYSTEMD_PORTABLE_RUNTIME (UINT64_C(1) << 0)
|
||||
#define SD_SYSTEMD_PORTABLE_FORCE_ATTACH (UINT64_C(1) << 1)
|
||||
#define SD_SYSTEMD_PORTABLE_FORCE_SYSEXT (UINT64_C(1) << 2)
|
||||
</programlisting>
|
||||
</refsect2>
|
||||
|
||||
|
@ -378,7 +378,9 @@
|
||||
<term><option>--force</option></term>
|
||||
|
||||
<listitem><para>Skip safety checks and attach or detach images (with extensions) without first ensuring
|
||||
that the units are not running.</para></listitem>
|
||||
that the units are not running, and do not insist that the
|
||||
<filename>extension-release.<replaceable>NAME</replaceable></filename> file in the extension image has
|
||||
to match the image filename.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<xi:include href="user-system-options.xml" xpointer="host" />
|
||||
|
@ -441,7 +441,9 @@
|
||||
<para>Each image must carry a <filename>/usr/lib/extension-release.d/extension-release.IMAGE</filename>
|
||||
file, with the appropriate metadata which matches <varname>RootImage=</varname>/<varname>RootDirectory=</varname>
|
||||
or the host. See:
|
||||
<citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
|
||||
<citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
|
||||
To disable the safety check that the extension-release file name matches the image file name, the
|
||||
<varname>x-systemd.relax-extension-release-check</varname> mount option may be appended.</para>
|
||||
|
||||
<para>When <varname>DevicePolicy=</varname> is set to <literal>closed</literal> or
|
||||
<literal>strict</literal>, or set to <literal>auto</literal> and <varname>DeviceAllow=</varname> is
|
||||
|
@ -36,7 +36,7 @@ bool image_name_is_valid(const char *s) {
|
||||
return true;
|
||||
}
|
||||
|
||||
int path_is_extension_tree(const char *path, const char *extension) {
|
||||
int path_is_extension_tree(const char *path, const char *extension, bool relax_extension_release_check) {
|
||||
int r;
|
||||
|
||||
assert(path);
|
||||
@ -49,7 +49,7 @@ int path_is_extension_tree(const char *path, const char *extension) {
|
||||
|
||||
/* We use /usr/lib/extension-release.d/extension-release[.NAME] as flag for something being a system extension,
|
||||
* and {/etc|/usr/lib}/os-release as a flag for something being an OS (when not an extension). */
|
||||
r = open_extension_release(path, extension, NULL, NULL);
|
||||
r = open_extension_release(path, extension, relax_extension_release_check, NULL, NULL);
|
||||
if (r == -ENOENT) /* We got nothing */
|
||||
return 0;
|
||||
if (r < 0)
|
||||
@ -58,7 +58,45 @@ int path_is_extension_tree(const char *path, const char *extension) {
|
||||
return 1;
|
||||
}
|
||||
|
||||
int open_extension_release(const char *root, const char *extension, char **ret_path, int *ret_fd) {
|
||||
static int extension_release_strict_xattr_value(int extension_release_fd, const char *extension_release_dir_path, const char *filename) {
|
||||
int r;
|
||||
|
||||
assert(extension_release_fd >= 0);
|
||||
assert(extension_release_dir_path);
|
||||
assert(filename);
|
||||
|
||||
/* No xattr or cannot parse it? Then skip this. */
|
||||
_cleanup_free_ char *extension_release_xattr = NULL;
|
||||
r = fgetxattr_malloc(extension_release_fd, "user.extension-release.strict", &extension_release_xattr);
|
||||
if (r < 0) {
|
||||
if (!ERRNO_IS_XATTR_ABSENT(r))
|
||||
return log_debug_errno(r,
|
||||
"%s/%s: Failed to read 'user.extension-release.strict' extended attribute from file, ignoring: %m",
|
||||
extension_release_dir_path, filename);
|
||||
|
||||
return log_debug_errno(r, "%s/%s does not have user.extension-release.strict xattr, ignoring.", extension_release_dir_path, filename);
|
||||
}
|
||||
|
||||
/* Explicitly set to request strict matching? Skip it. */
|
||||
r = parse_boolean(extension_release_xattr);
|
||||
if (r < 0)
|
||||
return log_debug_errno(r,
|
||||
"%s/%s: Failed to parse 'user.extension-release.strict' extended attribute from file, ignoring: %m",
|
||||
extension_release_dir_path, filename);
|
||||
if (r > 0) {
|
||||
log_debug("%s/%s: 'user.extension-release.strict' attribute is true, ignoring file.",
|
||||
extension_release_dir_path, filename);
|
||||
return true;
|
||||
}
|
||||
|
||||
log_debug("%s/%s: 'user.extension-release.strict' attribute is false%s",
|
||||
extension_release_dir_path, filename,
|
||||
special_glyph(SPECIAL_GLYPH_ELLIPSIS));
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
int open_extension_release(const char *root, const char *extension, bool relax_extension_release_check, char **ret_path, int *ret_fd) {
|
||||
_cleanup_free_ char *q = NULL;
|
||||
int r, fd;
|
||||
|
||||
@ -123,34 +161,14 @@ int open_extension_release(const char *root, const char *extension, char **ret_p
|
||||
continue;
|
||||
}
|
||||
|
||||
/* No xattr or cannot parse it? Then skip this. */
|
||||
_cleanup_free_ char *extension_release_xattr = NULL;
|
||||
k = fgetxattr_malloc(extension_release_fd, "user.extension-release.strict", &extension_release_xattr);
|
||||
if (k < 0 && !ERRNO_IS_XATTR_ABSENT(k))
|
||||
log_debug_errno(k,
|
||||
"%s/%s: Failed to read 'user.extension-release.strict' extended attribute from file: %m",
|
||||
extension_release_dir_path, de->d_name);
|
||||
if (k < 0) {
|
||||
log_debug("%s/%s does not have user.extension-release.strict xattr, ignoring.", extension_release_dir_path, de->d_name);
|
||||
continue;
|
||||
if (!relax_extension_release_check) {
|
||||
k = extension_release_strict_xattr_value(extension_release_fd,
|
||||
extension_release_dir_path,
|
||||
de->d_name);
|
||||
if (k != 0)
|
||||
continue;
|
||||
}
|
||||
|
||||
/* Explicitly set to request strict matching? Skip it. */
|
||||
k = parse_boolean(extension_release_xattr);
|
||||
if (k < 0)
|
||||
log_debug_errno(k,
|
||||
"%s/%s: Failed to parse 'user.extension-release.strict' extended attribute from file: %m",
|
||||
extension_release_dir_path, de->d_name);
|
||||
else if (k > 0)
|
||||
log_debug("%s/%s: 'user.extension-release.strict' attribute is true, ignoring file.",
|
||||
extension_release_dir_path, de->d_name);
|
||||
if (k != 0)
|
||||
continue;
|
||||
|
||||
log_debug("%s/%s: 'user.extension-release.strict' attribute is false%s",
|
||||
extension_release_dir_path, de->d_name,
|
||||
special_glyph(SPECIAL_GLYPH_ELLIPSIS));
|
||||
|
||||
/* We already found what we were looking for, but there's another candidate?
|
||||
* We treat this as an error, as we want to enforce that there are no ambiguities
|
||||
* in case we are in the fallback path.*/
|
||||
@ -207,16 +225,16 @@ int open_extension_release(const char *root, const char *extension, char **ret_p
|
||||
return 0;
|
||||
}
|
||||
|
||||
int fopen_extension_release(const char *root, const char *extension, char **ret_path, FILE **ret_file) {
|
||||
int fopen_extension_release(const char *root, const char *extension, bool relax_extension_release_check, char **ret_path, FILE **ret_file) {
|
||||
_cleanup_free_ char *p = NULL;
|
||||
_cleanup_close_ int fd = -1;
|
||||
FILE *f;
|
||||
int r;
|
||||
|
||||
if (!ret_file)
|
||||
return open_extension_release(root, extension, ret_path, NULL);
|
||||
return open_extension_release(root, extension, relax_extension_release_check, ret_path, NULL);
|
||||
|
||||
r = open_extension_release(root, extension, ret_path ? &p : NULL, &fd);
|
||||
r = open_extension_release(root, extension, relax_extension_release_check, ret_path ? &p : NULL, &fd);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
@ -231,24 +249,24 @@ int fopen_extension_release(const char *root, const char *extension, char **ret_
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int parse_release_internal(const char *root, const char *extension, va_list ap) {
|
||||
static int parse_release_internal(const char *root, bool relax_extension_release_check, const char *extension, va_list ap) {
|
||||
_cleanup_fclose_ FILE *f = NULL;
|
||||
_cleanup_free_ char *p = NULL;
|
||||
int r;
|
||||
|
||||
r = fopen_extension_release(root, extension, &p, &f);
|
||||
r = fopen_extension_release(root, extension, relax_extension_release_check, &p, &f);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
return parse_env_filev(f, p, ap);
|
||||
}
|
||||
|
||||
int _parse_extension_release(const char *root, const char *extension, ...) {
|
||||
int _parse_extension_release(const char *root, bool relax_extension_release_check, const char *extension, ...) {
|
||||
va_list ap;
|
||||
int r;
|
||||
|
||||
va_start(ap, extension);
|
||||
r = parse_release_internal(root, extension, ap);
|
||||
r = parse_release_internal(root, relax_extension_release_check, extension, ap);
|
||||
va_end(ap);
|
||||
|
||||
return r;
|
||||
@ -259,7 +277,7 @@ int _parse_os_release(const char *root, ...) {
|
||||
int r;
|
||||
|
||||
va_start(ap, root);
|
||||
r = parse_release_internal(root, NULL, ap);
|
||||
r = parse_release_internal(root, /* relax_extension_release_check= */ false, NULL, ap);
|
||||
va_end(ap);
|
||||
|
||||
return r;
|
||||
@ -306,12 +324,12 @@ int load_os_release_pairs_with_prefix(const char *root, const char *prefix, char
|
||||
return 0;
|
||||
}
|
||||
|
||||
int load_extension_release_pairs(const char *root, const char *extension, char ***ret) {
|
||||
int load_extension_release_pairs(const char *root, const char *extension, bool relax_extension_release_check, char ***ret) {
|
||||
_cleanup_fclose_ FILE *f = NULL;
|
||||
_cleanup_free_ char *p = NULL;
|
||||
int r;
|
||||
|
||||
r = fopen_extension_release(root, extension, &p, &f);
|
||||
r = fopen_extension_release(root, extension, relax_extension_release_check, &p, &f);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
|
@ -8,27 +8,27 @@
|
||||
|
||||
bool image_name_is_valid(const char *s) _pure_;
|
||||
|
||||
int path_is_extension_tree(const char *path, const char *extension);
|
||||
int path_is_extension_tree(const char *path, const char *extension, bool relax_extension_release_check);
|
||||
static inline int path_is_os_tree(const char *path) {
|
||||
return path_is_extension_tree(path, NULL);
|
||||
return path_is_extension_tree(path, NULL, false);
|
||||
}
|
||||
|
||||
int open_extension_release(const char *root, const char *extension, char **ret_path, int *ret_fd);
|
||||
int open_extension_release(const char *root, const char *extension, bool relax_extension_release_check, char **ret_path, int *ret_fd);
|
||||
static inline int open_os_release(const char *root, char **ret_path, int *ret_fd) {
|
||||
return open_extension_release(root, NULL, ret_path, ret_fd);
|
||||
return open_extension_release(root, NULL, false, ret_path, ret_fd);
|
||||
}
|
||||
|
||||
int fopen_extension_release(const char *root, const char *extension, char **ret_path, FILE **ret_file);
|
||||
int fopen_extension_release(const char *root, const char *extension, bool relax_extension_release_check, char **ret_path, FILE **ret_file);
|
||||
static inline int fopen_os_release(const char *root, char **ret_path, FILE **ret_file) {
|
||||
return fopen_extension_release(root, NULL, ret_path, ret_file);
|
||||
return fopen_extension_release(root, NULL, false, ret_path, ret_file);
|
||||
}
|
||||
|
||||
int _parse_extension_release(const char *root, const char *extension, ...) _sentinel_;
|
||||
int _parse_extension_release(const char *root, bool relax_extension_release_check, const char *extension, ...) _sentinel_;
|
||||
int _parse_os_release(const char *root, ...) _sentinel_;
|
||||
#define parse_extension_release(root, extension, ...) _parse_extension_release(root, extension, __VA_ARGS__, NULL)
|
||||
#define parse_extension_release(root, relax_extension_release_check, extension, ...) _parse_extension_release(root, relax_extension_release_check, extension, __VA_ARGS__, NULL)
|
||||
#define parse_os_release(root, ...) _parse_os_release(root, __VA_ARGS__, NULL)
|
||||
|
||||
int load_extension_release_pairs(const char *root, const char *extension, char ***ret);
|
||||
int load_extension_release_pairs(const char *root, const char *extension, bool relax_extension_release_check, char ***ret);
|
||||
int load_os_release_pairs(const char *root, char ***ret);
|
||||
int load_os_release_pairs_with_prefix(const char *root, const char *prefix, char ***ret);
|
||||
|
||||
|
@ -1382,7 +1382,7 @@ static int apply_one_mount(
|
||||
if (isempty(host_os_release_id))
|
||||
return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "'ID' field not found or empty in 'os-release' data of OS tree '%s': %m", empty_to_root(root_directory));
|
||||
|
||||
r = load_extension_release_pairs(mount_entry_source(m), extension_name, &extension_release);
|
||||
r = load_extension_release_pairs(mount_entry_source(m), extension_name, /* relax_extension_release_check= */ false, &extension_release);
|
||||
if (r == -ENOENT && m->ignore)
|
||||
return 0;
|
||||
if (r < 0)
|
||||
|
@ -171,6 +171,7 @@ static int extract_now(
|
||||
char **matches,
|
||||
const char *image_name,
|
||||
bool path_is_extension,
|
||||
bool relax_extension_release_check,
|
||||
int socket_fd,
|
||||
PortableMetadata **ret_os_release,
|
||||
Hashmap **ret_unit_files) {
|
||||
@ -197,7 +198,7 @@ static int extract_now(
|
||||
/* First, find os-release/extension-release and send it upstream (or just save it). */
|
||||
if (path_is_extension) {
|
||||
os_release_id = strjoina("/usr/lib/extension-release.d/extension-release.", image_name);
|
||||
r = open_extension_release(where, image_name, &os_release_path, &os_release_fd);
|
||||
r = open_extension_release(where, image_name, relax_extension_release_check, &os_release_path, &os_release_fd);
|
||||
} else {
|
||||
os_release_id = "/etc/os-release";
|
||||
r = open_os_release(where, &os_release_path, &os_release_fd);
|
||||
@ -321,6 +322,7 @@ static int extract_now(
|
||||
static int portable_extract_by_path(
|
||||
const char *path,
|
||||
bool path_is_extension,
|
||||
bool relax_extension_release_check,
|
||||
char **matches,
|
||||
PortableMetadata **ret_os_release,
|
||||
Hashmap **ret_unit_files,
|
||||
@ -344,7 +346,7 @@ static int portable_extract_by_path(
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to extract image name from path '%s': %m", path);
|
||||
|
||||
r = extract_now(path, matches, image_name, path_is_extension, -1, &os_release, &unit_files);
|
||||
r = extract_now(path, matches, image_name, path_is_extension, /* relax_extension_release_check= */ false, -1, &os_release, &unit_files);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
@ -400,7 +402,7 @@ static int portable_extract_by_path(
|
||||
seq[0] = safe_close(seq[0]);
|
||||
|
||||
if (path_is_extension)
|
||||
flags |= DISSECT_IMAGE_VALIDATE_OS_EXT;
|
||||
flags |= DISSECT_IMAGE_VALIDATE_OS_EXT | (relax_extension_release_check ? DISSECT_IMAGE_RELAX_SYSEXT_CHECK : 0);
|
||||
else
|
||||
flags |= DISSECT_IMAGE_VALIDATE_OS;
|
||||
|
||||
@ -410,7 +412,7 @@ static int portable_extract_by_path(
|
||||
goto child_finish;
|
||||
}
|
||||
|
||||
r = extract_now(tmpdir, matches, m->image_name, path_is_extension, seq[1], NULL, NULL);
|
||||
r = extract_now(tmpdir, matches, m->image_name, path_is_extension, relax_extension_release_check, seq[1], NULL, NULL);
|
||||
|
||||
child_finish:
|
||||
_exit(r < 0 ? EXIT_FAILURE : EXIT_SUCCESS);
|
||||
@ -505,6 +507,7 @@ static int extract_image_and_extensions(
|
||||
char **matches,
|
||||
char **extension_image_paths,
|
||||
bool validate_sysext,
|
||||
bool relax_extension_release_check,
|
||||
Image **ret_image,
|
||||
OrderedHashmap **ret_extension_images,
|
||||
OrderedHashmap **ret_extension_releases,
|
||||
@ -553,7 +556,7 @@ static int extract_image_and_extensions(
|
||||
}
|
||||
}
|
||||
|
||||
r = portable_extract_by_path(image->path, /* path_is_extension= */ false, matches, &os_release, &unit_files, error);
|
||||
r = portable_extract_by_path(image->path, /* path_is_extension= */ false, /* relax_extension_release_check= */ false, matches, &os_release, &unit_files, error);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
@ -593,7 +596,7 @@ static int extract_image_and_extensions(
|
||||
_cleanup_fclose_ FILE *f = NULL;
|
||||
const char *e;
|
||||
|
||||
r = portable_extract_by_path(ext->path, /* path_is_extension= */ true, matches, &extension_release_meta, &extra_unit_files, error);
|
||||
r = portable_extract_by_path(ext->path, /* path_is_extension= */ true, relax_extension_release_check, matches, &extension_release_meta, &extra_unit_files, error);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
@ -668,6 +671,7 @@ int portable_extract(
|
||||
const char *name_or_path,
|
||||
char **matches,
|
||||
char **extension_image_paths,
|
||||
PortableFlags flags,
|
||||
PortableMetadata **ret_os_release,
|
||||
OrderedHashmap **ret_extension_releases,
|
||||
Hashmap **ret_unit_files,
|
||||
@ -688,6 +692,7 @@ int portable_extract(
|
||||
matches,
|
||||
extension_image_paths,
|
||||
/* validate_sysext= */ false,
|
||||
/* relax_extension_release_check= */ FLAGS_SET(flags, PORTABLE_FORCE_SYSEXT),
|
||||
&image,
|
||||
&extension_images,
|
||||
&extension_releases,
|
||||
@ -955,6 +960,7 @@ static int install_chroot_dropin(
|
||||
OrderedHashmap *extension_images,
|
||||
const PortableMetadata *m,
|
||||
const char *dropin_dir,
|
||||
PortableFlags flags,
|
||||
char **ret_dropin,
|
||||
PortableChange **changes,
|
||||
size_t *n_changes) {
|
||||
@ -1004,7 +1010,16 @@ static int install_chroot_dropin(
|
||||
|
||||
if (m->image_path && !path_equal(m->image_path, image_path))
|
||||
ORDERED_HASHMAP_FOREACH(ext, extension_images)
|
||||
if (!strextend(&text, extension_setting_from_image(ext->type), ext->path, "\n"))
|
||||
if (!strextend(&text,
|
||||
extension_setting_from_image(ext->type),
|
||||
ext->path,
|
||||
/* With --force tell PID1 to avoid enforcing that the image <name> and
|
||||
* extension-release.<name> have to match. */
|
||||
!IN_SET(type, IMAGE_DIRECTORY, IMAGE_SUBVOLUME) &&
|
||||
FLAGS_SET(flags, PORTABLE_FORCE_SYSEXT) ?
|
||||
":x-systemd.relax-extension-release-check" :
|
||||
"",
|
||||
"\n"))
|
||||
return -ENOMEM;
|
||||
}
|
||||
|
||||
@ -1138,7 +1153,7 @@ static int attach_unit_file(
|
||||
* is reloaded while we are creating things here: as long as only the drop-ins exist the unit doesn't exist at
|
||||
* all for PID 1. */
|
||||
|
||||
r = install_chroot_dropin(image_path, type, extension_images, m, dropin_dir, &chroot_dropin, changes, n_changes);
|
||||
r = install_chroot_dropin(image_path, type, extension_images, m, dropin_dir, flags, &chroot_dropin, changes, n_changes);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
@ -1303,6 +1318,7 @@ int portable_attach(
|
||||
matches,
|
||||
extension_image_paths,
|
||||
/* validate_sysext= */ true,
|
||||
/* relax_extension_release_check= */ FLAGS_SET(flags, PORTABLE_FORCE_SYSEXT),
|
||||
&image,
|
||||
&extension_images,
|
||||
/* extension_releases= */ NULL,
|
||||
@ -1357,7 +1373,7 @@ int portable_attach(
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
if (!FLAGS_SET(flags, PORTABLE_REATTACH) && !FLAGS_SET(flags, PORTABLE_FORCE))
|
||||
if (!FLAGS_SET(flags, PORTABLE_REATTACH) && !FLAGS_SET(flags, PORTABLE_FORCE_ATTACH))
|
||||
HASHMAP_FOREACH(item, unit_files) {
|
||||
r = unit_file_exists(LOOKUP_SCOPE_SYSTEM, &paths, item->name);
|
||||
if (r < 0)
|
||||
@ -1600,7 +1616,7 @@ int portable_detach(
|
||||
if (r == 0)
|
||||
continue;
|
||||
|
||||
if (!FLAGS_SET(flags, PORTABLE_REATTACH) && !FLAGS_SET(flags, PORTABLE_FORCE)) {
|
||||
if (!FLAGS_SET(flags, PORTABLE_REATTACH) && !FLAGS_SET(flags, PORTABLE_FORCE_ATTACH)) {
|
||||
r = unit_file_is_active(bus, unit_name, error);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
@ -22,11 +22,12 @@ typedef struct PortableMetadata {
|
||||
|
||||
typedef enum PortableFlags {
|
||||
PORTABLE_RUNTIME = 1 << 0, /* Public API via DBUS, do not change */
|
||||
PORTABLE_FORCE = 1 << 1, /* Public API via DBUS, do not change */
|
||||
PORTABLE_PREFER_COPY = 1 << 2,
|
||||
PORTABLE_PREFER_SYMLINK = 1 << 3,
|
||||
PORTABLE_REATTACH = 1 << 4,
|
||||
_PORTABLE_MASK_PUBLIC = PORTABLE_RUNTIME | PORTABLE_FORCE,
|
||||
PORTABLE_FORCE_ATTACH = 1 << 1, /* Public API via DBUS, do not change */
|
||||
PORTABLE_FORCE_SYSEXT = 1 << 2, /* Public API via DBUS, do not change */
|
||||
PORTABLE_PREFER_COPY = 1 << 3,
|
||||
PORTABLE_PREFER_SYMLINK = 1 << 4,
|
||||
PORTABLE_REATTACH = 1 << 5,
|
||||
_PORTABLE_MASK_PUBLIC = PORTABLE_RUNTIME | PORTABLE_FORCE_ATTACH | PORTABLE_FORCE_SYSEXT,
|
||||
_PORTABLE_TYPE_MAX,
|
||||
_PORTABLE_TYPE_INVALID = -EINVAL,
|
||||
} PortableFlags;
|
||||
@ -66,7 +67,7 @@ DEFINE_TRIVIAL_CLEANUP_FUNC(PortableMetadata*, portable_metadata_unref);
|
||||
|
||||
int portable_metadata_hashmap_to_sorted_array(Hashmap *unit_files, PortableMetadata ***ret);
|
||||
|
||||
int portable_extract(const char *image, char **matches, char **extension_image_paths, PortableMetadata **ret_os_release, OrderedHashmap **ret_extension_releases, Hashmap **ret_unit_files, char ***ret_valid_prefixes, sd_bus_error *error);
|
||||
int portable_extract(const char *image, char **matches, char **extension_image_paths, PortableFlags flags, PortableMetadata **ret_os_release, OrderedHashmap **ret_extension_releases, Hashmap **ret_unit_files, char ***ret_valid_prefixes, sd_bus_error *error);
|
||||
|
||||
int portable_attach(sd_bus *bus, const char *name_or_path, char **matches, const char *profile, char **extension_images, PortableFlags flags, PortableChange **changes, size_t *n_changes, sd_bus_error *error);
|
||||
int portable_detach(sd_bus *bus, const char *name_or_path, char **extension_image_paths, PortableFlags flags, PortableChange **changes, size_t *n_changes, sd_bus_error *error);
|
||||
|
@ -260,7 +260,7 @@ static int maybe_reload(sd_bus **bus) {
|
||||
static int get_image_metadata(sd_bus *bus, const char *image, char **matches, sd_bus_message **reply) {
|
||||
_cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL;
|
||||
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
|
||||
uint64_t flags = 0;
|
||||
uint64_t flags = arg_force ? PORTABLE_FORCE_SYSEXT : 0;
|
||||
const char *method;
|
||||
int r;
|
||||
|
||||
@ -869,7 +869,7 @@ static int attach_reattach_image(int argc, char *argv[], const char *method) {
|
||||
return bus_log_create_error(r);
|
||||
|
||||
if (STR_IN_SET(method, "AttachImageWithExtensions", "ReattachImageWithExtensions")) {
|
||||
uint64_t flags = (arg_runtime ? PORTABLE_RUNTIME : 0) | (arg_force ? PORTABLE_FORCE : 0);
|
||||
uint64_t flags = (arg_runtime ? PORTABLE_RUNTIME : 0) | (arg_force ? PORTABLE_FORCE_ATTACH | PORTABLE_FORCE_SYSEXT : 0);
|
||||
|
||||
r = sd_bus_message_append(m, "st", arg_copy_mode, flags);
|
||||
} else
|
||||
@ -941,7 +941,7 @@ static int detach_image(int argc, char *argv[], void *userdata) {
|
||||
if (strv_isempty(arg_extension_images))
|
||||
r = sd_bus_message_append(m, "b", arg_runtime);
|
||||
else {
|
||||
uint64_t flags = (arg_runtime ? PORTABLE_RUNTIME : 0) | (arg_force ? PORTABLE_FORCE : 0);
|
||||
uint64_t flags = (arg_runtime ? PORTABLE_RUNTIME : 0) | (arg_force ? PORTABLE_FORCE_ATTACH | PORTABLE_FORCE_SYSEXT : 0);
|
||||
|
||||
r = sd_bus_message_append(m, "t", flags);
|
||||
}
|
||||
|
@ -108,6 +108,7 @@ int bus_image_common_get_metadata(
|
||||
_cleanup_hashmap_free_ Hashmap *unit_files = NULL;
|
||||
_cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL;
|
||||
_cleanup_free_ PortableMetadata **sorted = NULL;
|
||||
PortableFlags flags = 0;
|
||||
int r;
|
||||
|
||||
assert(name_or_path || image);
|
||||
@ -142,6 +143,7 @@ int bus_image_common_get_metadata(
|
||||
return sd_bus_reply_method_errorf(message, SD_BUS_ERROR_INVALID_ARGS,
|
||||
"Invalid 'flags' parameter '%" PRIu64 "'",
|
||||
input_flags);
|
||||
flags |= input_flags;
|
||||
}
|
||||
|
||||
r = bus_image_acquire(m,
|
||||
@ -161,6 +163,7 @@ int bus_image_common_get_metadata(
|
||||
image->path,
|
||||
matches,
|
||||
extension_images,
|
||||
flags,
|
||||
&os_release,
|
||||
&extension_releases,
|
||||
&unit_files,
|
||||
|
@ -1174,7 +1174,7 @@ int image_read_metadata(Image *i) {
|
||||
if (r < 0)
|
||||
log_debug_errno(r, "Failed to read os-release in image, ignoring: %m");
|
||||
|
||||
r = load_extension_release_pairs(i->path, i->name, &extension_release);
|
||||
r = load_extension_release_pairs(i->path, i->name, /* relax_extension_release_check= */ false, &extension_release);
|
||||
if (r < 0)
|
||||
log_debug_errno(r, "Failed to read extension-release in image, ignoring: %m");
|
||||
|
||||
|
@ -1510,7 +1510,7 @@ int dissected_image_mount(
|
||||
ok = true;
|
||||
}
|
||||
if (!ok && FLAGS_SET(flags, DISSECT_IMAGE_VALIDATE_OS_EXT)) {
|
||||
r = path_is_extension_tree(where, m->image_name);
|
||||
r = path_is_extension_tree(where, m->image_name, FLAGS_SET(flags, DISSECT_IMAGE_RELAX_SYSEXT_CHECK));
|
||||
if (r < 0)
|
||||
return r;
|
||||
if (r > 0)
|
||||
@ -2714,7 +2714,7 @@ int dissected_image_acquire_metadata(DissectedImage *m, DissectImageFlags extra_
|
||||
* we allow a fallback that matches on the first extension-release
|
||||
* file found in the directory, if one named after the image cannot
|
||||
* be found first. */
|
||||
r = open_extension_release(t, m->image_name, NULL, &fd);
|
||||
r = open_extension_release(t, m->image_name, /* relax_extension_release_check= */ false, NULL, &fd);
|
||||
if (r < 0)
|
||||
fd = r; /* Propagate the error. */
|
||||
break;
|
||||
@ -3152,6 +3152,15 @@ static const char *const partition_designator_table[] = {
|
||||
[PARTITION_VAR] = "var",
|
||||
};
|
||||
|
||||
static bool mount_options_relax_extension_release_checks(const MountOptions *options) {
|
||||
if (!options)
|
||||
return false;
|
||||
|
||||
return string_contains_word(mount_options_from_designator(options, PARTITION_ROOT), ",", "x-systemd.relax-extension-release-check") ||
|
||||
string_contains_word(mount_options_from_designator(options, PARTITION_USR), ",", "x-systemd.relax-extension-release-check") ||
|
||||
string_contains_word(options->options, ",", "x-systemd.relax-extension-release-check");
|
||||
}
|
||||
|
||||
int verity_dissect_and_mount(
|
||||
int src_fd,
|
||||
const char *src,
|
||||
@ -3166,17 +3175,21 @@ int verity_dissect_and_mount(
|
||||
_cleanup_(dissected_image_unrefp) DissectedImage *dissected_image = NULL;
|
||||
_cleanup_(verity_settings_done) VeritySettings verity = VERITY_SETTINGS_DEFAULT;
|
||||
DissectImageFlags dissect_image_flags;
|
||||
bool relax_extension_release_check;
|
||||
int r;
|
||||
|
||||
assert(src);
|
||||
assert(dest);
|
||||
|
||||
relax_extension_release_check = mount_options_relax_extension_release_checks(options);
|
||||
|
||||
/* We might get an FD for the image, but we use the original path to look for the dm-verity files */
|
||||
r = verity_settings_load(&verity, src, NULL, NULL);
|
||||
if (r < 0)
|
||||
return log_debug_errno(r, "Failed to load root hash: %m");
|
||||
|
||||
dissect_image_flags = verity.data_path ? DISSECT_IMAGE_NO_PARTITION_TABLE : 0;
|
||||
dissect_image_flags = (verity.data_path ? DISSECT_IMAGE_NO_PARTITION_TABLE : 0) |
|
||||
(relax_extension_release_check ? DISSECT_IMAGE_RELAX_SYSEXT_CHECK : 0);
|
||||
|
||||
/* Note that we don't use loop_device_make here, as the FD is most likely O_PATH which would not be
|
||||
* accepted by LOOP_CONFIGURE, so just let loop_device_make_by_path reopen it as a regular FD. */
|
||||
@ -3243,7 +3256,7 @@ int verity_dissect_and_mount(
|
||||
|
||||
assert(!isempty(required_host_os_release_id));
|
||||
|
||||
r = load_extension_release_pairs(dest, dissected_image->image_name, &extension_release);
|
||||
r = load_extension_release_pairs(dest, dissected_image->image_name, relax_extension_release_check, &extension_release);
|
||||
if (r < 0)
|
||||
return log_debug_errno(r, "Failed to parse image %s extension-release metadata: %m", dissected_image->image_name);
|
||||
|
||||
|
@ -208,6 +208,7 @@ typedef enum DissectImageFlags {
|
||||
DISSECT_IMAGE_MOUNT_IDMAPPED = 1 << 19, /* Mount mounts with kernel 5.12-style userns ID mapping, if file system type doesn't support uid=/gid= */
|
||||
DISSECT_IMAGE_MANAGE_PARTITION_DEVICES = 1 << 20, /* Manage partition devices, e.g. probe each partition in more detail */
|
||||
DISSECT_IMAGE_BLOCK_DEVICE = DISSECT_IMAGE_MANAGE_PARTITION_DEVICES,
|
||||
DISSECT_IMAGE_RELAX_SYSEXT_CHECK = 1 << 21, /* Don't insist that the extension-release file name matches the image name */
|
||||
} DissectImageFlags;
|
||||
|
||||
struct DissectedImage {
|
||||
|
@ -765,7 +765,9 @@ int mount_option_mangle(
|
||||
}
|
||||
|
||||
/* If 'word' is not a mount flag, then store it in '*ret_remaining_options'. */
|
||||
if (!ent->name && !strextend_with_separator(&ret, ",", word))
|
||||
if (!ent->name &&
|
||||
!startswith_no_case(word, "x-") &&
|
||||
!strextend_with_separator(&ret, ",", word))
|
||||
return -ENOMEM;
|
||||
}
|
||||
|
||||
|
@ -141,6 +141,18 @@ portablectl detach --now --runtime --extension /usr/share/app1.raw /usr/share/mi
|
||||
grep -q -F bar "${STATE_DIRECTORY}/app0/foo"
|
||||
grep -q -F baz "${STATE_DIRECTORY}/app1/foo"
|
||||
|
||||
# Ensure that we can override the check on extension-release.NAME
|
||||
cp /usr/share/app0.raw /tmp/app10.raw
|
||||
portablectl "${ARGS[@]}" attach --force --now --runtime --extension /tmp/app10.raw /usr/share/minimal_0.raw app0
|
||||
|
||||
systemctl is-active app0.service
|
||||
status="$(portablectl is-attached --extension /tmp/app10.raw /usr/share/minimal_0.raw)"
|
||||
[[ "${status}" == "running-runtime" ]]
|
||||
|
||||
portablectl inspect --force --cat --extension /tmp/app10.raw /usr/share/minimal_0.raw app0 | grep -q -F "Extension Release: /tmp/app10.raw"
|
||||
|
||||
portablectl detach --force --now --runtime --extension /tmp/app10.raw /usr/share/minimal_0.raw app0
|
||||
|
||||
# portablectl also works with directory paths rather than images
|
||||
|
||||
mkdir /tmp/rootdir /tmp/app0 /tmp/app1 /tmp/overlay /tmp/os-release-fix /tmp/os-release-fix/etc
|
||||
|
Loading…
x
Reference in New Issue
Block a user