core: fix loading verity settings for MountImages= (#35577)

The MountEntry logic was refactored to store the verity settings, and updated for ExtensionImages=, but not for MountImages=. Follow-up for a1a40297dbfa5bcd926d1a19320deb73c033c6f5
2025-03-11 20:58:27 +03:00 · 2024-12-12 13:06:07 +00:00 · 2024-12-12 13:06:07 +00:00 · 9fdf10604b
commit 9fdf10604b
parent fc35981fda c7fcb08324
3 changed files with 19 additions and 0 deletions
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@ -480,20 +480,28 @@ static int append_bind_mounts(MountList *ml, const BindMount *binds, size_t n) {
 }

 static int append_mount_images(MountList *ml, const MountImage *mount_images, size_t n) {
+        int r;
+
        assert(ml);
        assert(mount_images || n == 0);

        FOREACH_ARRAY(m, mount_images, n) {
+                _cleanup_(verity_settings_done) VeritySettings verity = VERITY_SETTINGS_DEFAULT;
                MountEntry *me = mount_list_extend(ml);
                if (!me)
                        return log_oom_debug();

+                r = verity_settings_load(&verity, m->source, /* root_hash_path= */ NULL, /* root_hash_sig_path= */ NULL);
+                if (r < 0)
+                        return log_debug_errno(r, "Failed to check verity root hash of %s: %m", m->source);
+
                *me = (MountEntry) {
                        .path_const = m->destination,
                        .mode = MOUNT_IMAGE,
                        .source_const = m->source,
                        .image_options_const = m->mount_options,
                        .ignore = m->ignore_enoent,
+                        .verity = TAKE_GENERIC(verity, VeritySettings, VERITY_SETTINGS_DEFAULT),
                };
        }

--- a/test/units/TEST-50-DISSECT.dissect.sh
+++ b/test/units/TEST-50-DISSECT.dissect.sh
@ -281,6 +281,9 @@ systemd-run -P \
            -p RootHash="$MINIMAL_IMAGE_ROOTHASH" \
            -p MountImages="$MINIMAL_IMAGE.gpt:/run/img1 $MINIMAL_IMAGE.raw:/run/img2" \
            cat /run/img2/usr/lib/os-release | grep -q -F "MARKER=1"
+systemd-run -P \
+            -p MountImages="$MINIMAL_IMAGE.raw:/run/img2" \
+            veritysetup status "${MINIMAL_IMAGE_ROOTHASH}-verity" | grep -q "${MINIMAL_IMAGE_ROOTHASH}"
 cat >/run/systemd/system/testservice-50c.service <<EOF
 [Service]
 MountAPIVFS=yes
@ -362,6 +365,12 @@ systemd-run -P \
            --property ExtensionImages=/etc/service-scoped-test.raw \
            --property RootImage="$MINIMAL_IMAGE.raw" \
            cat /etc/systemd/system/some_file | grep -q -F "MARKER_CONFEXT_123"
+systemd-run -P \
+            --property ExtensionImages="/tmp/app0.raw /tmp/conf0.raw" \
+            veritysetup status "$(cat /tmp/app0.roothash)-verity" | grep -q "$(cat /tmp/app0.roothash)"
+systemd-run -P \
+            --property ExtensionImages="/tmp/app0.raw /tmp/conf0.raw" \
+            veritysetup status "$(cat /tmp/conf0.roothash)-verity" | grep -q "$(cat /tmp/conf0.roothash)"

 # Check that two identical verity images at different paths do not fail with -ELOOP from OverlayFS
 mkdir -p /tmp/loop
--- a/test/units/util.sh
+++ b/test/units/util.sh
@ -284,6 +284,7 @@ EOF
        chmod +x "$initdir/opt/script0.sh"
        echo MARKER=1 >"$initdir/usr/lib/systemd/system/some_file"
        mksquashfs "$initdir" /tmp/app0.raw -noappend
+        veritysetup format /tmp/app0.raw /tmp/app0.verity --root-hash-file /tmp/app0.roothash

        initdir="/var/tmp/conf0"
        mkdir -p "$initdir/etc/extension-release.d" "$initdir/etc/systemd/system" "$initdir/opt"
@ -295,6 +296,7 @@ EOF
        ) >>"$initdir/etc/extension-release.d/extension-release.conf0"
        echo MARKER_1 >"$initdir/etc/systemd/system/some_file"
        mksquashfs "$initdir" /tmp/conf0.raw -noappend
+        veritysetup format /tmp/conf0.raw /tmp/conf0.verity --root-hash-file /tmp/conf0.roothash

        initdir="/var/tmp/app1"
        mkdir -p "$initdir/usr/lib/extension-release.d" "$initdir/usr/lib/systemd/system" "$initdir/opt"