1
0
mirror of https://github.com/systemd/systemd.git synced 2025-01-23 02:04:32 +03:00

vpick: ensure extension ABI matches the root's

Extensions can only run on the same ABI as the root image,
so if an ABI is specified, ensure the extensions match it
This commit is contained in:
Luca Boccassi 2024-07-18 23:10:53 +01:00
parent 56b16cb583
commit dbb5891f8c
4 changed files with 26 additions and 6 deletions

View File

@ -2994,7 +2994,8 @@ static int pick_versions(
const ExecContext *context, const ExecContext *context,
const ExecParameters *params, const ExecParameters *params,
char **ret_root_image, char **ret_root_image,
char **ret_root_directory) { char **ret_root_directory,
Abi *ret_root_abi) {
int r; int r;
@ -3002,6 +3003,7 @@ static int pick_versions(
assert(params); assert(params);
assert(ret_root_image); assert(ret_root_image);
assert(ret_root_directory); assert(ret_root_directory);
assert(ret_root_abi);
if (context->root_image) { if (context->root_image) {
_cleanup_(pick_result_done) PickResult result = PICK_RESULT_NULL; _cleanup_(pick_result_done) PickResult result = PICK_RESULT_NULL;
@ -3020,6 +3022,7 @@ static int pick_versions(
*ret_root_image = TAKE_PTR(result.path); *ret_root_image = TAKE_PTR(result.path);
*ret_root_directory = NULL; *ret_root_directory = NULL;
*ret_root_abi = result.abi;
return r; return r;
} }
@ -3040,10 +3043,12 @@ static int pick_versions(
*ret_root_image = NULL; *ret_root_image = NULL;
*ret_root_directory = TAKE_PTR(result.path); *ret_root_directory = TAKE_PTR(result.path);
*ret_root_abi = result.abi;
return r; return r;
} }
*ret_root_image = *ret_root_directory = NULL; *ret_root_image = *ret_root_directory = NULL;
*ret_root_abi = _ABI_INVALID;
return 0; return 0;
} }
@ -3066,6 +3071,7 @@ static int apply_mount_namespace(
bool setup_os_release_symlink; bool setup_os_release_symlink;
BindMount *bind_mounts = NULL; BindMount *bind_mounts = NULL;
size_t n_bind_mounts = 0; size_t n_bind_mounts = 0;
Abi root_abi = _ABI_INVALID;
int r; int r;
assert(context); assert(context);
@ -3077,7 +3083,8 @@ static int apply_mount_namespace(
context, context,
params, params,
&root_image, &root_image,
&root_dir); &root_dir,
&root_abi);
if (r < 0) if (r < 0)
return r; return r;
@ -3194,6 +3201,7 @@ static int apply_mount_namespace(
.root_image = root_image, .root_image = root_image,
.root_image_options = context->root_image_options, .root_image_options = context->root_image_options,
.root_image_policy = context->root_image_policy ?: &image_policy_service, .root_image_policy = context->root_image_policy ?: &image_policy_service,
.root_abi = root_abi,
.read_write_paths = read_write_paths, .read_write_paths = read_write_paths,
.read_only_paths = needs_sandboxing ? context->read_only_paths : NULL, .read_only_paths = needs_sandboxing ? context->read_only_paths : NULL,

View File

@ -473,6 +473,7 @@ static int append_mount_images(MountList *ml, const MountImage *mount_images, si
static int append_extensions( static int append_extensions(
MountList *ml, MountList *ml,
const char *root, const char *root,
Abi root_abi,
const char *private_namespace_dir, const char *private_namespace_dir,
char **hierarchies, char **hierarchies,
const MountImage *mount_images, const MountImage *mount_images,
@ -511,11 +512,14 @@ static int append_extensions(
_cleanup_(pick_result_done) PickResult result = PICK_RESULT_NULL; _cleanup_(pick_result_done) PickResult result = PICK_RESULT_NULL;
_cleanup_free_ char *mount_point = NULL; _cleanup_free_ char *mount_point = NULL;
const MountImage *m = mount_images + i; const MountImage *m = mount_images + i;
/* Ensure we pick extensions with the same ABI as the root */
PickFilter filter = pick_filter_image_raw;
filter.abi = root_abi;
r = path_pick(/* toplevel_path= */ NULL, r = path_pick(/* toplevel_path= */ NULL,
/* toplevel_fd= */ AT_FDCWD, /* toplevel_fd= */ AT_FDCWD,
m->source, m->source,
&pick_filter_image_raw, &filter,
PICK_ABI|PICK_TRIES, PICK_ABI|PICK_TRIES,
&result); &result);
if (r < 0) if (r < 0)
@ -566,6 +570,9 @@ static int append_extensions(
_cleanup_free_ char *mount_point = NULL; _cleanup_free_ char *mount_point = NULL;
const char *e = *extension_directory; const char *e = *extension_directory;
bool ignore_enoent = false; bool ignore_enoent = false;
/* Ensure we pick extensions with the same ABI as the root */
PickFilter filter = pick_filter_image_dir;
filter.abi = root_abi;
/* Pick up the counter where the ExtensionImages left it. */ /* Pick up the counter where the ExtensionImages left it. */
if (asprintf(&mount_point, "%s/unit-extensions/%zu", private_namespace_dir, n_mount_images++) < 0) if (asprintf(&mount_point, "%s/unit-extensions/%zu", private_namespace_dir, n_mount_images++) < 0)
@ -583,7 +590,7 @@ static int append_extensions(
r = path_pick(/* toplevel_path= */ NULL, r = path_pick(/* toplevel_path= */ NULL,
/* toplevel_fd= */ AT_FDCWD, /* toplevel_fd= */ AT_FDCWD,
e, e,
&pick_filter_image_dir, &filter,
PICK_ABI|PICK_TRIES, PICK_ABI|PICK_TRIES,
&result); &result);
if (r < 0) if (r < 0)
@ -2396,7 +2403,7 @@ int setup_namespace(const NamespaceParameters *p, char **error_path) {
if (r < 0) if (r < 0)
return r; return r;
r = append_extensions(&ml, root, p->private_namespace_dir, hierarchies, p->extension_images, p->n_extension_images, p->extension_directories); r = append_extensions(&ml, root, p->root_abi, p->private_namespace_dir, hierarchies, p->extension_images, p->n_extension_images, p->extension_directories);
if (r < 0) if (r < 0)
return r; return r;

View File

@ -97,6 +97,7 @@ struct NamespaceParameters {
const char *root_image; const char *root_image;
const MountOptions *root_image_options; const MountOptions *root_image_options;
const ImagePolicy *root_image_policy; const ImagePolicy *root_image_policy;
Abi root_abi;
char **read_write_paths; char **read_write_paths;
char **read_only_paths; char **read_only_paths;

View File

@ -615,10 +615,14 @@ static int extract_image_and_extensions(
const char *path = *p; const char *path = *p;
if (path_is_absolute(*p)) { if (path_is_absolute(*p)) {
/* Ensure we pick extensions with the same ABI as the root */
PickFilter filter = pick_filter_image_any;
filter.abi = result.abi;
r = path_pick(/* toplevel_path= */ NULL, r = path_pick(/* toplevel_path= */ NULL,
/* toplevel_fd= */ AT_FDCWD, /* toplevel_fd= */ AT_FDCWD,
*p, *p,
&pick_filter_image_any, &filter,
PICK_ABI|PICK_TRIES|PICK_RESOLVE, PICK_ABI|PICK_TRIES|PICK_RESOLVE,
&ext_result); &ext_result);
if (r < 0) if (r < 0)