git.ipfire.org Git - thirdparty/systemd.git/commit

author	Lennart Poettering <lennart@poettering.net>
	Wed, 12 Mar 2025 07:37:05 +0000 (08:37 +0100)
committer	Lennart Poettering <lennart@poettering.net>
	Mon, 31 Mar 2025 13:14:13 +0000 (15:14 +0200)
commit	0bdd5ccc8145af8dae9779751d3e7a34c4fa6aa5
tree	86b5db86548fbf5e30b62ad58ac594fcb8ff8012	tree \| snapshot
parent	9fbe26cfa8fadb58e048aa6a57ad0dacf5de03fc	commit \| diff

validatefs: add new tool that enforces mount constraints

This new tool looks for a three xattr on the root inode of a file system
that encode mount constraints of the file system. The tool is supposed
to be hooke into the mount logic and is supposed to protect against
misappropriating trusted file systems in unintended ways.

Consider the following scenario: we boot up on first boot and create a
tpm-locked pair of /var/ and /srv/ partitions via systemd-repart. An
attacker then offline modifies the partition table, exchanging the
metadata of the /var/ and /srv/ partition. So far we'd happily accept
that, honour the modified metadata and boot up. This could be used to
revert changes to /var/ or similar. And all that even though both
partitions are encrypted and locked to TPM!

With this new mechanism we can encode in the protected contents of the
file systems the ways it can be used: the partition type uuid, the
partition label and the intended mount point can be stored in xattrs,
and we can check them automatically on mount, and take action on
mismatch. (action would typically be immediate reboot).

man/rules/meson.build		diff \| blob \| blame \| history
man/systemd-validatefs@.service.xml	[new file with mode: 0644]	blob
meson.build		diff \| blob \| blame \| history
src/validatefs/meson.build	[new file with mode: 0644]	blob
src/validatefs/validatefs.c	[new file with mode: 0644]	blob
units/meson.build		diff \| blob \| blame \| history
units/systemd-validatefs@.service.in	[new file with mode: 0644]	blob