<listitem><para>Takes an image policy string as argument, as per
<citerefentry><refentrytitle>systemd.image-policy</refentrytitle><manvolnum>7</manvolnum></citerefentry>. The
policy is enforced when operating on system extension disk images. If not specified defaults to
- <literal>root=verity+signed+encrypted+unprotected+absent:usr=verity+signed+encrypted+unprotected+absent</literal>,
- i.e. only the root and <filename>/usr/</filename> file systems in the image are used. When run in the
- initrd and operating on a system extension image stored in the <filename>/.extra/sysext/</filename>
- directory a slightly stricter policy is used by default:
- <literal>root=signed+absent:usr=signed+absent</literal>, see above for details.</para></listitem>
+ <literal>root=verity+signed+encrypted+unprotected+absent:usr=verity+signed+encrypted+unprotected+absent</literal>
+ for system extensions, i.e. only the root and <filename>/usr/</filename> file systems in the image
+ are used. For configuration extensions defaults to
+ <literal>root=verity+signed+encrypted+unprotected+absent</literal>. When run in the initrd and
+ operating on a system extension image stored in the <filename>/.extra/sysext/</filename> directory a
+ slightly stricter policy is used by default: <literal>root=signed+absent:usr=signed+absent</literal>,
+ see above for details.</para></listitem>
</varlistentry>
<xi:include href="standard-options.xml" xpointer="no-pager" />
.default_flags = PARTITION_POLICY_IGNORE,
};
+const ImagePolicy image_policy_confext = {
+ /* For configuraiton extensions, honour root file system, and ignore everything else. After all, we
+ * are only interested in the /etc/ tree anyway, and that's really the only place it can be. */
+ .n_policies = 1,
+ .policies = {
+ { PARTITION_ROOT, PARTITION_POLICY_VERITY|PARTITION_POLICY_SIGNED|PARTITION_POLICY_ENCRYPTED|PARTITION_POLICY_UNPROTECTED|PARTITION_POLICY_ABSENT },
+ },
+ .default_flags = PARTITION_POLICY_IGNORE,
+};
+
const ImagePolicy image_policy_container = {
/* For systemd-nspawn containers we use all partitions, with the exception of swap */
.n_policies = 8,
extern const ImagePolicy image_policy_ignore;
extern const ImagePolicy image_policy_sysext; /* No verity required */
extern const ImagePolicy image_policy_sysext_strict; /* Signed verity required */
+extern const ImagePolicy image_policy_confext; /* No verity required */
extern const ImagePolicy image_policy_container;
extern const ImagePolicy image_policy_service;
extern const ImagePolicy image_policy_host;
const char *level_env;
const char *scope_env;
const char *name_env;
+ const ImagePolicy *default_image_policy;
} image_class_info[_IMAGE_CLASS_MAX] = {
[IMAGE_SYSEXT] = {
.dot_directory_name = ".systemd-sysext",
.level_env = "SYSEXT_LEVEL",
.scope_env = "SYSEXT_SCOPE",
.name_env = "SYSTEMD_SYSEXT_HIERARCHIES",
+ .default_image_policy = &image_policy_sysext,
},
[IMAGE_CONFEXT] = {
.dot_directory_name = ".systemd-confext",
.level_env = "CONFEXT_LEVEL",
.scope_env = "CONFEXT_SCOPE",
.name_env = "SYSTEMD_CONFEXT_HIERARCHIES",
+ .default_image_policy = &image_policy_confext,
}
};
if (in_initrd() && path_startswith(img->path, "/.extra/sysext/"))
return &image_policy_sysext_strict;
- return &image_policy_sysext;
+ return image_class_info[img->class].default_image_policy;
}
static int merge_subprocess(Hashmap *images, const char *workspace) {
projects / thirdparty / systemd.git / commitdiff
