From: Luca Boccassi Date: Tue, 10 Oct 2023 17:50:36 +0000 (+0100) Subject: core: fix checking for extension-releases for ExtensionImages/Directories X-Git-Tag: v255-rc1~259 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5897469a08f6b6ba1094729176a9b89bad992bae;p=thirdparty%2Fsystemd.git core: fix checking for extension-releases for ExtensionImages/Directories The parsing is done after the image has been opened, not before, as it cannot be done on an block device. Also fix returning on any error for ExtensionDirectories, not just ENOENT. Follow-up for 55ea4ef096543d2bceea9315868d5aca945d7a57 --- diff --git a/src/core/namespace.c b/src/core/namespace.c index 00b1a17b4f3..9165a481f53 100644 --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -1269,9 +1269,8 @@ static int mount_image( const ImagePolicy *image_policy) { _cleanup_free_ char *host_os_release_id = NULL, *host_os_release_version_id = NULL, - *host_os_release_level = NULL, *extension_name = NULL; - _cleanup_strv_free_ char **extension_release = NULL; - ImageClass class = IMAGE_SYSEXT; + *host_os_release_sysext_level = NULL, *host_os_release_confext_level = NULL, + *extension_name = NULL; int r; assert(m); @@ -1281,20 +1280,12 @@ static int mount_image( return log_debug_errno(r, "Failed to extract extension name from %s: %m", mount_entry_source(m)); if (m->mode == EXTENSION_IMAGES) { - r = load_extension_release_pairs(mount_entry_source(m), IMAGE_SYSEXT, extension_name, /* relax_extension_release_check= */ false, &extension_release); - if (r == -ENOENT) { - r = load_extension_release_pairs(mount_entry_source(m), IMAGE_CONFEXT, extension_name, /* relax_extension_release_check= */ false, &extension_release); - if (r >= 0) - class = IMAGE_CONFEXT; - } - if (r == -ENOENT) - return r; - r = parse_os_release( empty_to_root(root_directory), "ID", &host_os_release_id, "VERSION_ID", &host_os_release_version_id, - image_class_info[class].level_env, &host_os_release_level, + image_class_info[IMAGE_SYSEXT].level_env, &host_os_release_sysext_level, + image_class_info[IMAGE_CONFEXT].level_env, &host_os_release_confext_level, NULL); if (r < 0) return log_debug_errno(r, "Failed to acquire 'os-release' data of OS tree '%s': %m", empty_to_root(root_directory)); @@ -1310,20 +1301,23 @@ static int mount_image( image_policy, host_os_release_id, host_os_release_version_id, - host_os_release_level, + host_os_release_sysext_level, + host_os_release_confext_level, /* required_sysext_scope= */ NULL, /* ret_image= */ NULL); if (r == -ENOENT && m->ignore) return 0; if (r == -ESTALE && host_os_release_id) return log_error_errno(r, - "Failed to mount image %s, extension-release metadata does not match the lower layer's: ID=%s%s%s%s%s", + "Failed to mount image %s, extension-release metadata does not match the lower layer's: ID=%s%s%s%s%s%s%s", mount_entry_source(m), host_os_release_id, host_os_release_version_id ? " VERSION_ID=" : "", strempty(host_os_release_version_id), - host_os_release_level ? image_class_info[class].level_env_print : "", - strempty(host_os_release_level)); + host_os_release_sysext_level ? image_class_info[IMAGE_SYSEXT].level_env_print : "", + strempty(host_os_release_sysext_level), + host_os_release_confext_level ? image_class_info[IMAGE_CONFEXT].level_env_print : "", + strempty(host_os_release_confext_level)); if (r < 0) return log_debug_errno(r, "Failed to mount image %s on %s: %m", mount_entry_source(m), mount_entry_path(m)); @@ -1465,8 +1459,8 @@ static int apply_one_mount( if (r >= 0) class = IMAGE_CONFEXT; } - if (r == -ENOENT) - return r; + if (r < 0) + return log_debug_errno(r, "Failed to acquire 'extension-release' data of extension tree %s: %m", mount_entry_source(m)); r = parse_os_release( empty_to_root(root_directory), diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c index 278d2291a28..d32ed8579e2 100644 --- a/src/shared/dissect-image.c +++ b/src/shared/dissect-image.c @@ -3912,6 +3912,7 @@ int verity_dissect_and_mount( const char *required_host_os_release_id, const char *required_host_os_release_version_id, const char *required_host_os_release_sysext_level, + const char *required_host_os_release_confext_level, const char *required_sysext_scope, DissectedImage **ret_image) { @@ -4029,7 +4030,7 @@ int verity_dissect_and_mount( dissected_image->image_name, required_host_os_release_id, required_host_os_release_version_id, - required_host_os_release_sysext_level, + class == IMAGE_SYSEXT ? required_host_os_release_sysext_level : required_host_os_release_confext_level, required_sysext_scope, extension_release, class); diff --git a/src/shared/dissect-image.h b/src/shared/dissect-image.h index eb0841bd2e4..c418bb512a8 100644 --- a/src/shared/dissect-image.h +++ b/src/shared/dissect-image.h @@ -194,7 +194,7 @@ bool dissected_image_verity_sig_ready(const DissectedImage *image, PartitionDesi int mount_image_privately_interactively(const char *path, const ImagePolicy *image_policy, DissectImageFlags flags, char **ret_directory, int *ret_dir_fd, LoopDevice **ret_loop_device); -int verity_dissect_and_mount(int src_fd, const char *src, const char *dest, const MountOptions *options, const ImagePolicy *image_policy, const char *required_host_os_release_id, const char *required_host_os_release_version_id, const char *required_host_os_release_sysext_level, const char *required_sysext_scope, DissectedImage **ret_image); +int verity_dissect_and_mount(int src_fd, const char *src, const char *dest, const MountOptions *options, const ImagePolicy *image_policy, const char *required_host_os_release_id, const char *required_host_os_release_version_id, const char *required_host_os_release_sysext_level, const char *required_host_os_release_confext_level, const char *required_sysext_scope, DissectedImage **ret_image); int dissect_fstype_ok(const char *fstype); diff --git a/src/shared/mount-util.c b/src/shared/mount-util.c index 93e5af7e34d..011508e632a 100644 --- a/src/shared/mount-util.c +++ b/src/shared/mount-util.c @@ -884,6 +884,7 @@ static int mount_in_namespace_legacy( /* required_host_os_release_id= */ NULL, /* required_host_os_release_version_id= */ NULL, /* required_host_os_release_sysext_level= */ NULL, + /* required_host_os_release_confext_level= */ NULL, /* required_sysext_scope= */ NULL, /* ret_image= */ NULL); else @@ -1102,6 +1103,7 @@ static int mount_in_namespace( /* required_host_os_release_id= */ NULL, /* required_host_os_release_version_id= */ NULL, /* required_host_os_release_sysext_level= */ NULL, + /* required_host_os_release_confext_level= */ NULL, /* required_sysext_scope= */ NULL, &img); if (r < 0)