Merge pull request #27229 from poettering/dissect-policy-confext

dissect: follow-up for image policy merge

man/systemd-sysext.xml

@@ -281,11 +281,13 @@
         <listitem><para>Takes an image policy string as argument, as per
         <citerefentry><refentrytitle>systemd.image-policy</refentrytitle><manvolnum>7</manvolnum></citerefentry>. The
         policy is enforced when operating on system extension disk images. If not specified defaults to
-        <literal>root=verity+signed+encrypted+unprotected+absent:usr=verity+signed+encrypted+unprotected+absent</literal>,
+        <literal>root=verity+signed+encrypted+unprotected+absent:usr=verity+signed+encrypted+unprotected+absent</literal>
-        i.e. only the root and <filename>/usr/</filename> file systems in the image are used. When run in the
+        for system extensions, i.e. only the root and <filename>/usr/</filename> file systems in the image
-        initrd and operating on a system extension image stored in the <filename>/.extra/sysext/</filename>
+        are used. For configuration extensions defaults to
-        directory a slightly stricter policy is used by default:
+        <literal>root=verity+signed+encrypted+unprotected+absent</literal>. When run in the initrd and
-        <literal>root=signed+absent:usr=signed+absent</literal>, see above for details.</para></listitem>
+        operating on a system extension image stored in the <filename>/.extra/sysext/</filename> directory a
+        slightly stricter policy is used by default: <literal>root=signed+absent:usr=signed+absent</literal>,
+        see above for details.</para></listitem>
       </varlistentry>
 
       <xi:include href="standard-options.xml" xpointer="no-pager" />

src/shared/discover-image.c

@@ -79,12 +79,10 @@ static const char* const image_search_path[_IMAGE_CLASS_MAX] = {
 static const char* const image_search_path_initrd[_IMAGE_CLASS_MAX] = {
         /* (entries that aren't listed here will get the same search path as for the non initrd-case) */
 
-        [IMAGE_SYSEXT] = "/etc/extensions\0"             /* only place symlinks here */
+        [IMAGE_SYSEXT] =    "/etc/extensions\0"            /* only place symlinks here */
-                         "/run/extensions\0"             /* and here too */
+                            "/run/extensions\0"            /* and here too */
-                         "/var/lib/extensions\0"         /* the main place for images */
+                            "/var/lib/extensions\0"        /* the main place for images */
-                         "/usr/local/lib/extensions\0"
+                            "/.extra/sysext\0"             /* put sysext picked up by systemd-stub last, since not trusted */
-                         "/usr/lib/extensions\0"
-                         "/.extra/sysext\0"              /* put sysext picked up by systemd-stub last, since not trusted */
 };
 
 static Image *image_free(Image *i) {

src/shared/image-policy.c

@@ -641,6 +641,16 @@ const ImagePolicy image_policy_sysext_strict = {
         .default_flags = PARTITION_POLICY_IGNORE,
 };
 
+const ImagePolicy image_policy_confext = {
+        /* For configuraiton extensions, honour root file system, and ignore everything else. After all, we
+         * are only interested in the /etc/ tree anyway, and that's really the only place it can be. */
+        .n_policies = 1,
+        .policies = {
+                { PARTITION_ROOT,     PARTITION_POLICY_VERITY|PARTITION_POLICY_SIGNED|PARTITION_POLICY_ENCRYPTED|PARTITION_POLICY_UNPROTECTED|PARTITION_POLICY_ABSENT },
+        },
+        .default_flags = PARTITION_POLICY_IGNORE,
+};
+
 const ImagePolicy image_policy_container = {
         /* For systemd-nspawn containers we use all partitions, with the exception of swap */
         .n_policies = 8,

src/shared/image-policy.h

@@ -59,6 +59,7 @@ extern const ImagePolicy image_policy_deny;
 extern const ImagePolicy image_policy_ignore;
 extern const ImagePolicy image_policy_sysext;        /* No verity required */
 extern const ImagePolicy image_policy_sysext_strict; /* Signed verity required */
+extern const ImagePolicy image_policy_confext;       /* No verity required */
 extern const ImagePolicy image_policy_container;
 extern const ImagePolicy image_policy_service;
 extern const ImagePolicy image_policy_host;

src/sysext/sysext.c

@@ -63,6 +63,7 @@ static const struct {
         const char *level_env;
         const char *scope_env;
         const char *name_env;
+        const ImagePolicy *default_image_policy;
 } image_class_info[_IMAGE_CLASS_MAX] = {
         [IMAGE_SYSEXT] = {
                 .dot_directory_name = ".systemd-sysext",
@@ -72,6 +73,7 @@ static const struct {
                 .level_env = "SYSEXT_LEVEL",
                 .scope_env = "SYSEXT_SCOPE",
                 .name_env = "SYSTEMD_SYSEXT_HIERARCHIES",
+                .default_image_policy = &image_policy_sysext,
         },
         [IMAGE_CONFEXT] = {
                 .dot_directory_name = ".systemd-confext",
@@ -81,6 +83,7 @@ static const struct {
                 .level_env = "CONFEXT_LEVEL",
                 .scope_env = "CONFEXT_SCOPE",
                 .name_env = "SYSTEMD_CONFEXT_HIERARCHIES",
+                .default_image_policy = &image_policy_confext,
         }
 };
 
@@ -458,7 +461,7 @@ static const ImagePolicy *pick_image_policy(const Image *img) {
         if (in_initrd() && path_startswith(img->path, "/.extra/sysext/"))
                 return &image_policy_sysext_strict;
 
-        return &image_policy_sysext;
+        return image_class_info[img->class].default_image_policy;
 }
 
 static int merge_subprocess(Hashmap *images, const char *workspace) {