"/usr/lib/confexts\0",
};
-/* Inside the initrd, use a slightly different set of search path (i.e. include .extra/sysext/ and
- * .extra/confext/ in extension search dir) */
+/* Inside the initrd, use a slightly different set of search path (i.e. include .extra/sysext/,
+ * /.extra/global_sysext, .extra/confext/, and /.extra/global_confext in extension search dir) */
static const char* const image_search_path_initrd[_IMAGE_CLASS_MAX] = {
/* (entries that aren't listed here will get the same search path as for the non initrd-case) */
[IMAGE_SYSEXT] = "/etc/extensions\0" /* only place symlinks here */
"/run/extensions\0" /* and here too */
"/var/lib/extensions\0" /* the main place for images */
- "/.extra/sysext\0", /* put sysext picked up by systemd-stub last, since not trusted */
+ "/.extra/sysext\0" /* put sysext (per-UKI and global) picked up by systemd-stub */
+ "/.extra/global_sysext\0", /* last, since not trusted */
[IMAGE_CONFEXT] = "/run/confexts\0" /* only place symlinks here */
"/var/lib/confexts\0" /* the main place for images */
"/usr/local/lib/confexts\0"
- "/.extra/confext\0", /* put confext picked up by systemd-stub last, since not trusted */
+ "/.extra/confext\0" /* put confext (per-UKI and global) picked up by systemd-stub */
+ "/.extra/global_confext\0", /* last, since not trusted. */
};
static const char* image_class_suffix_table[_IMAGE_CLASS_MAX] = {
if (arg_image_policy)
return arg_image_policy;
- /* If located in /.extra/sysext/ in the initrd, then it was placed there by systemd-stub, and was
+ /* If located in /.extra/ in the initrd, then it was placed there by systemd-stub, and was
* picked up from an untrusted ESP. Thus, require a stricter policy by default for them. (For the
* other directories we assume the appropriate level of trust was already established already. */
if (in_initrd()) {
if (path_startswith(img->path, "/.extra/sysext/"))
return &image_policy_sysext_strict;
+ if (path_startswith(img->path, "/.extra/global_sysext/"))
+ return &image_policy_sysext_strict;
if (path_startswith(img->path, "/.extra/confext/"))
return &image_policy_confext_strict;
+ if (path_startswith(img->path, "/.extra/global_confext/"))
+ return &image_policy_confext_strict;
/* Better safe than sorry, refuse everything else passed in via the untrusted /.extra/ dir */
if (path_startswith(img->path, "/.extra/"))
ConditionDirectoryNotEmpty=|/usr/local/lib/confexts
ConditionDirectoryNotEmpty=|/usr/lib/confexts
ConditionDirectoryNotEmpty=|/.extra/confext
+ConditionDirectoryNotEmpty=|/.extra/global_confext
ConditionPathExists=/etc/initrd-release
DefaultDependencies=no
ConditionDirectoryNotEmpty=|/run/extensions
ConditionDirectoryNotEmpty=|/var/lib/extensions
ConditionDirectoryNotEmpty=|/.extra/sysext
+ConditionDirectoryNotEmpty=|/.extra/global_sysext
ConditionPathExists=/etc/initrd-release
DefaultDependencies=no
projects / thirdparty / systemd.git / commitdiff
