shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-02-24 17:57:34 +03:00
Code

sysext: default to a stricter image policy when reading /.extra/sysext/ DDIs

Browse Source
This commit is contained in:
Lennart Poettering 2022-12-13 16:27:48 +01:00
parent 73740c9f84
commit a594288d79
5 changed files with 34 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/analyze/analyze-image-policy.c
View File

@ -90,6 +90,8 @@ int verb_image_policy(int argc, char *argv[], void *userdata) {
* introspect our own defaults without guaranteeing API safety. */
if (streq(argv[i], "@sysext"))
p = &image_policy_sysext;
else if (streq(argv[i], "@sysext-strict"))
p = &image_policy_sysext_strict;
else if (streq(argv[i], "@container"))
p = &image_policy_container;
else if (streq(argv[i], "@service"))

10
src/shared/image-policy.c
View File

@ -631,6 +631,16 @@ const ImagePolicy image_policy_sysext = {
.default_flags = PARTITION_POLICY_IGNORE,
};
const ImagePolicy image_policy_sysext_strict = {
/* For system extensions, requiring signing */
.n_policies = 2,
.policies = {
{ PARTITION_ROOT, PARTITION_POLICY_SIGNED|PARTITION_POLICY_ABSENT },
{ PARTITION_USR, PARTITION_POLICY_SIGNED|PARTITION_POLICY_ABSENT },
},
.default_flags = PARTITION_POLICY_IGNORE,
};
const ImagePolicy image_policy_container = {
/* For systemd-nspawn containers we use all partitions, with the exception of swap */
.n_policies = 8,

3
src/shared/image-policy.h
View File

@ -57,7 +57,8 @@ struct ImagePolicy {
extern const ImagePolicy image_policy_allow;
extern const ImagePolicy image_policy_deny;
extern const ImagePolicy image_policy_ignore;
extern const ImagePolicy image_policy_sysext;
extern const ImagePolicy image_policy_sysext; /* No verity required */
extern const ImagePolicy image_policy_sysext_strict; /* Signed verity required */
extern const ImagePolicy image_policy_container;
extern const ImagePolicy image_policy_service;
extern const ImagePolicy image_policy_host;

20
src/sysext/sysext.c
View File

@ -410,6 +410,24 @@ static int strverscmp_improvedp(char *const* a, char *const* b) {
return strverscmp_improved(*a, *b);
}
static const ImagePolicy *pick_image_policy(const Image *img) {
assert(img);
assert(img->path);
/* Explicitly specified policy always wins */
if (arg_image_policy)
return arg_image_policy;
/* If located in /.extra/sysext/ in the initrd, then it was placed there by systemd-stub, and was
* picked up from an untrusted ESP. Thus, require a stricter policy by default for them. (For the
* other directories we assume the appropriate level of trust was already established already. */
if (in_initrd() && path_startswith(img->path, "/.extra/sysext/"))
return &image_policy_sysext_strict;
return &image_policy_sysext;
}
static int merge_subprocess(Hashmap *images, const char *workspace) {
_cleanup_free_ char *host_os_release_id = NULL, *host_os_release_version_id = NULL, *host_os_release_sysext_level = NULL,
*buf = NULL;
@ -526,7 +544,7 @@ static int merge_subprocess(Hashmap *images, const char *workspace) {
d,
&verity_settings,
/* mount_options= */ NULL,
arg_image_policy ?: &image_policy_sysext,
pick_image_policy(img),
flags,
&m);
if (r < 0)

1
src/test/test-image-policy.c
View File

@ -77,6 +77,7 @@ TEST_RET(test_image_policy_to_string) {
test_policy(&image_policy_ignore, "-");
test_policy(&image_policy_deny, "~");
test_policy(&image_policy_sysext, "sysext");
test_policy(&image_policy_sysext_strict, "sysext-strict");
test_policy(&image_policy_container, "container");
test_policy(&image_policy_host, "host");
test_policy(&image_policy_service, "service");