From: Lennart Poettering Date: Tue, 18 Mar 2025 21:24:00 +0000 (+0100) Subject: dissect-image: move extension release arguments of verity_dissect_and_mount() into... X-Git-Tag: v258-rc1~923^2~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bcd904d471ef93da748e3ca65c18692926a7f2b7;p=thirdparty%2Fsystemd.git dissect-image: move extension release arguments of verity_dissect_and_mount() into a structure --- diff --git a/src/core/namespace.c b/src/core/namespace.c index 2912f819e9c..01d3c977d41 100644 --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -1476,9 +1476,8 @@ static int mount_image( const char *root_directory, const ImagePolicy *image_policy) { - _cleanup_free_ char *host_os_release_id = NULL, *host_os_release_version_id = NULL, - *host_os_release_sysext_level = NULL, *host_os_release_confext_level = NULL, - *extension_name = NULL; + _cleanup_(extension_release_data_done) ExtensionReleaseData rdata = {}; + _cleanup_free_ char *extension_name = NULL; int r; assert(m); @@ -1490,14 +1489,14 @@ static int mount_image( if (m->mode == MOUNT_EXTENSION_IMAGE) { r = parse_os_release( empty_to_root(root_directory), - "ID", &host_os_release_id, - "VERSION_ID", &host_os_release_version_id, - image_class_info[IMAGE_SYSEXT].level_env, &host_os_release_sysext_level, - image_class_info[IMAGE_CONFEXT].level_env, &host_os_release_confext_level, + "ID", &rdata.os_release_id, + "VERSION_ID", &rdata.os_release_version_id, + image_class_info[IMAGE_SYSEXT].level_env, &rdata.os_release_sysext_level, + image_class_info[IMAGE_CONFEXT].level_env, &rdata.os_release_confext_level, NULL); if (r < 0) return log_debug_errno(r, "Failed to acquire 'os-release' data of OS tree '%s': %m", empty_to_root(root_directory)); - if (isempty(host_os_release_id)) + if (isempty(rdata.os_release_id)) return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "'ID' field not found or empty in 'os-release' data of OS tree '%s'.", empty_to_root(root_directory)); } @@ -1508,26 +1507,22 @@ static int mount_image( m->image_options_const, image_policy, /* image_filter= */ NULL, - host_os_release_id, - host_os_release_version_id, - host_os_release_sysext_level, - host_os_release_confext_level, - /* required_sysext_scope= */ NULL, + &rdata, &m->verity, /* ret_image= */ NULL); if (r == -ENOENT && m->ignore) return 0; - if (r == -ESTALE && host_os_release_id) + if (r == -ESTALE && rdata.os_release_id) return log_error_errno(r, // FIXME: this should not be logged ad LOG_ERR, as it will result in duplicate logging. "Failed to mount image %s, extension-release metadata does not match the lower layer's: ID=%s%s%s%s%s%s%s", mount_entry_source(m), - host_os_release_id, - host_os_release_version_id ? " VERSION_ID=" : "", - strempty(host_os_release_version_id), - host_os_release_sysext_level ? image_class_info[IMAGE_SYSEXT].level_env_print : "", - strempty(host_os_release_sysext_level), - host_os_release_confext_level ? image_class_info[IMAGE_CONFEXT].level_env_print : "", - strempty(host_os_release_confext_level)); + rdata.os_release_id, + rdata.os_release_version_id ? " VERSION_ID=" : "", + strempty(rdata.os_release_version_id), + rdata.os_release_sysext_level ? image_class_info[IMAGE_SYSEXT].level_env_print : "", + strempty(rdata.os_release_sysext_level), + rdata.os_release_confext_level ? image_class_info[IMAGE_CONFEXT].level_env_print : "", + strempty(rdata.os_release_confext_level)); if (r < 0) return log_debug_errno(r, "Failed to mount image %s on %s: %m", mount_entry_source(m), mount_entry_path(m)); diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c index ca9b8d985bb..db7cbd44b3b 100644 --- a/src/shared/dissect-image.c +++ b/src/shared/dissect-image.c @@ -4286,11 +4286,7 @@ int verity_dissect_and_mount( const MountOptions *options, const ImagePolicy *image_policy, const ImageFilter *image_filter, - const char *required_host_os_release_id, - const char *required_host_os_release_version_id, - const char *required_host_os_release_sysext_level, - const char *required_host_os_release_confext_level, - const char *required_sysext_scope, + const ExtensionReleaseData *extension_release_data, VeritySettings *verity, DissectedImage **ret_image) { @@ -4304,7 +4300,7 @@ int verity_dissect_and_mount( assert(src); /* Verifying release metadata requires mounted image for now, so ensure the check is skipped when * opening an image without mounting it immediately (i.e.: 'dest' is NULL). */ - assert(!required_host_os_release_id || dest); + assert(!extension_release_data || dest); relax_extension_release_check = mount_options_relax_extension_release_checks(options); @@ -4403,11 +4399,11 @@ int verity_dissect_and_mount( * First, check the distro ID. If that matches, then check the new SYSEXT_LEVEL value if * available, or else fallback to VERSION_ID. If neither is present (eg: rolling release), * then a simple match on the ID will be performed. */ - if (required_host_os_release_id) { + if (extension_release_data && extension_release_data->os_release_id) { _cleanup_strv_free_ char **extension_release = NULL; ImageClass class = IMAGE_SYSEXT; - assert(!isempty(required_host_os_release_id)); + assert(!isempty(extension_release_data->os_release_id)); r = load_extension_release_pairs(dest, IMAGE_SYSEXT, dissected_image->image_name, relax_extension_release_check, &extension_release); if (r == -ENOENT) { @@ -4420,10 +4416,10 @@ int verity_dissect_and_mount( r = extension_release_validate( dissected_image->image_name, - required_host_os_release_id, - required_host_os_release_version_id, - class == IMAGE_SYSEXT ? required_host_os_release_sysext_level : required_host_os_release_confext_level, - required_sysext_scope, + extension_release_data->os_release_id, + extension_release_data->os_release_version_id, + class == IMAGE_SYSEXT ? extension_release_data->os_release_sysext_level : extension_release_data->os_release_confext_level, + extension_release_data->os_release_extension_scope, extension_release, class); if (r == 0) @@ -4442,6 +4438,16 @@ int verity_dissect_and_mount( return 0; } +void extension_release_data_done(ExtensionReleaseData *data) { + assert(data); + + data->os_release_id = mfree(data->os_release_id); + data->os_release_version_id = mfree(data->os_release_version_id); + data->os_release_sysext_level = mfree(data->os_release_sysext_level); + data->os_release_confext_level = mfree(data->os_release_confext_level); + data->os_release_extension_scope = mfree(data->os_release_extension_scope); +} + int get_common_dissect_directory(char **ret) { _cleanup_free_ char *t = NULL; int r; diff --git a/src/shared/dissect-image.h b/src/shared/dissect-image.h index 3d919a65e0f..3313d149214 100644 --- a/src/shared/dissect-image.h +++ b/src/shared/dissect-image.h @@ -20,6 +20,7 @@ typedef struct DecryptedImage DecryptedImage; typedef struct MountOptions MountOptions; typedef struct VeritySettings VeritySettings; typedef struct ImageFilter ImageFilter; +typedef struct ExtensionReleaseData ExtensionReleaseData; struct DissectedPartition { bool found:1; @@ -154,6 +155,14 @@ struct ImageFilter { char *pattern[_PARTITION_DESIGNATOR_MAX]; }; +struct ExtensionReleaseData { + char *os_release_id; + char *os_release_version_id; + char *os_release_sysext_level; + char *os_release_confext_level; + char *os_release_extension_scope; +}; + /* We include image-policy.h down here, since ImagePolicy wants a complete definition of PartitionDesignator first. */ #include "image-policy.h" @@ -248,7 +257,7 @@ bool dissected_image_verity_sig_ready(const DissectedImage *image, PartitionDesi int mount_image_privately_interactively(const char *path, const ImagePolicy *image_policy, DissectImageFlags flags, char **ret_directory, int *ret_dir_fd, LoopDevice **ret_loop_device); -int verity_dissect_and_mount(int src_fd, const char *src, const char *dest, const MountOptions *options, const ImagePolicy *image_policy, const ImageFilter *image_filter, const char *required_host_os_release_id, const char *required_host_os_release_version_id, const char *required_host_os_release_sysext_level, const char *required_host_os_release_confext_level, const char *required_sysext_scope, VeritySettings *verity, DissectedImage **ret_image); +int verity_dissect_and_mount(int src_fd, const char *src, const char *dest, const MountOptions *options, const ImagePolicy *image_policy, const ImageFilter *image_filter, const ExtensionReleaseData *required_release_data, VeritySettings *verity, DissectedImage **ret_image); int dissect_fstype_ok(const char *fstype); @@ -257,6 +266,8 @@ int probe_sector_size_prefer_ioctl(int fd, uint32_t *ret); int partition_pick_mount_options(PartitionDesignator d, const char *fstype, bool rw, bool discard, char **ret_options, unsigned long *ret_ms_flags); +void extension_release_data_done(ExtensionReleaseData *data); + static inline const char* dissected_partition_fstype(const DissectedPartition *m) { assert(m); diff --git a/src/shared/mount-util.c b/src/shared/mount-util.c index c92e779a87f..b836cebddeb 100644 --- a/src/shared/mount-util.c +++ b/src/shared/mount-util.c @@ -970,11 +970,7 @@ static int mount_in_namespace_legacy( options, image_policy, /* image_filter= */ NULL, - /* required_host_os_release_id= */ NULL, - /* required_host_os_release_version_id= */ NULL, - /* required_host_os_release_sysext_level= */ NULL, - /* required_host_os_release_confext_level= */ NULL, - /* required_sysext_scope= */ NULL, + /* extension_release_data= */ NULL, /* verity= */ NULL, /* ret_image= */ NULL); else @@ -1195,11 +1191,7 @@ static int mount_in_namespace( options, image_policy, /* image_filter= */ NULL, - /* required_host_os_release_id= */ NULL, - /* required_host_os_release_version_id= */ NULL, - /* required_host_os_release_sysext_level= */ NULL, - /* required_host_os_release_confext_level= */ NULL, - /* required_sysext_scope= */ NULL, + /* extension_release_data= */ NULL, /* verity= */ NULL, &img); if (r < 0)