char *password;
ImagePolicy *image_policy;
MountOptions *options;
+ bool relax_extension_release_check;
bool verity_sharing;
struct iovec verity_root_hash;
struct iovec verity_root_hash_sig;
void *userdata) {
static const sd_json_dispatch_field dispatch_table[] = {
- { "imageFileDescriptor", SD_JSON_VARIANT_UNSIGNED, sd_json_dispatch_uint, offsetof(MountImageParameters, image_fd_idx), SD_JSON_MANDATORY },
- { "userNamespaceFileDescriptor", SD_JSON_VARIANT_UNSIGNED, sd_json_dispatch_uint, offsetof(MountImageParameters, userns_fd_idx), 0 },
- { "readOnly", SD_JSON_VARIANT_BOOLEAN, sd_json_dispatch_tristate, offsetof(MountImageParameters, read_only), 0 },
- { "growFileSystems", SD_JSON_VARIANT_BOOLEAN, sd_json_dispatch_tristate, offsetof(MountImageParameters, growfs), 0 },
- { "password", SD_JSON_VARIANT_STRING, sd_json_dispatch_string, offsetof(MountImageParameters, password), 0 },
- { "imagePolicy", SD_JSON_VARIANT_STRING, json_dispatch_image_policy, offsetof(MountImageParameters, image_policy), 0 },
- { "mountOptions", SD_JSON_VARIANT_OBJECT, json_dispatch_image_options, offsetof(MountImageParameters, options), 0 },
- { "veritySharing", SD_JSON_VARIANT_BOOLEAN, sd_json_dispatch_stdbool, offsetof(MountImageParameters, verity_sharing), 0 },
- { "verityDataFileDescriptor", SD_JSON_VARIANT_UNSIGNED, sd_json_dispatch_uint, offsetof(MountImageParameters, verity_data_fd_idx), 0 },
- { "verityRootHash", SD_JSON_VARIANT_STRING, json_dispatch_unhex_iovec, offsetof(MountImageParameters, verity_root_hash), 0 },
- { "verityRootHashSignature", SD_JSON_VARIANT_STRING, json_dispatch_unbase64_iovec, offsetof(MountImageParameters, verity_root_hash_sig), 0 },
+ { "imageFileDescriptor", SD_JSON_VARIANT_UNSIGNED, sd_json_dispatch_uint, offsetof(MountImageParameters, image_fd_idx), SD_JSON_MANDATORY },
+ { "userNamespaceFileDescriptor", SD_JSON_VARIANT_UNSIGNED, sd_json_dispatch_uint, offsetof(MountImageParameters, userns_fd_idx), 0 },
+ { "readOnly", SD_JSON_VARIANT_BOOLEAN, sd_json_dispatch_tristate, offsetof(MountImageParameters, read_only), 0 },
+ { "growFileSystems", SD_JSON_VARIANT_BOOLEAN, sd_json_dispatch_tristate, offsetof(MountImageParameters, growfs), 0 },
+ { "password", SD_JSON_VARIANT_STRING, sd_json_dispatch_string, offsetof(MountImageParameters, password), 0 },
+ { "imagePolicy", SD_JSON_VARIANT_STRING, json_dispatch_image_policy, offsetof(MountImageParameters, image_policy), 0 },
+ { "mountOptions", SD_JSON_VARIANT_OBJECT, json_dispatch_image_options, offsetof(MountImageParameters, options), 0 },
+ { "relaxExtensionReleaseChecks", SD_JSON_VARIANT_BOOLEAN, sd_json_dispatch_stdbool, offsetof(MountImageParameters, relax_extension_release_check), 0 },
+ { "veritySharing", SD_JSON_VARIANT_BOOLEAN, sd_json_dispatch_stdbool, offsetof(MountImageParameters, verity_sharing), 0 },
+ { "verityDataFileDescriptor", SD_JSON_VARIANT_UNSIGNED, sd_json_dispatch_uint, offsetof(MountImageParameters, verity_data_fd_idx), 0 },
+ { "verityRootHash", SD_JSON_VARIANT_STRING, json_dispatch_unhex_iovec, offsetof(MountImageParameters, verity_root_hash), 0 },
+ { "verityRootHashSignature", SD_JSON_VARIANT_STRING, json_dispatch_unbase64_iovec, offsetof(MountImageParameters, verity_root_hash_sig), 0 },
VARLINK_DISPATCH_POLKIT_FIELD,
{}
};
/* Maybe the image is a bare filesystem. Note that this requires privileges, as it is
* classified by the policy as an 'unprotected' image and will be refused otherwise. */
DISSECT_IMAGE_NO_PARTITION_TABLE |
- DISSECT_IMAGE_ALLOW_USERSPACE_VERITY;
+ DISSECT_IMAGE_ALLOW_USERSPACE_VERITY |
+ (p.relax_extension_release_check ? DISSECT_IMAGE_RELAX_EXTENSION_CHECK : 0);
/* Let's see if we have acquired the privilege to mount untrusted images already */
bool polkit_have_untrusted_action =
#include "fileio.h"
#include "format-util.h"
#include "fsck-util.h"
+#include "fstab-util.h"
#include "gpt.h"
#include "hash-funcs.h"
#include "hexdecoct.h"
_cleanup_(sd_json_variant_unrefp) sd_json_variant *mount_options = NULL;
for (PartitionDesignator i = 0; i < _PARTITION_DESIGNATOR_MAX; i++) {
+ _cleanup_free_ char *filtered = NULL;
+
const char *o = mount_options_from_designator(options, i);
if (!o)
continue;
+ /* We communicate relaxExtensionReleaseCheck separately via the varlink API, so filter it out
+ * from the mount options we pass to mountfsd. */
+ if (IN_SET(i, PARTITION_ROOT, PARTITION_USR)) {
+ r = fstab_filter_options(
+ o,
+ "x-systemd.relax-extension-release-check\0",
+ /* ret_namefound= */ NULL,
+ /* ret_value= */ NULL,
+ /* ret_values= */ NULL,
+ &filtered);
+ if (r < 0)
+ return log_error_errno(r, "Failed to filter mount options: %m");
+
+ if (isempty(filtered))
+ continue;
+ }
+
r = sd_json_variant_merge_objectbo(
&mount_options,
- SD_JSON_BUILD_PAIR_STRING(partition_designator_to_string(i), o));
+ SD_JSON_BUILD_PAIR_STRING(partition_designator_to_string(i), filtered ?: o));
if (r < 0)
return log_error_errno(r, "Failed to build mount options array: %m");
}
SD_JSON_BUILD_PAIR_BOOLEAN("growFileSystems", FLAGS_SET(flags, DISSECT_IMAGE_GROWFS)),
SD_JSON_BUILD_PAIR_CONDITION(!!ps, "imagePolicy", SD_JSON_BUILD_STRING(ps)),
JSON_BUILD_PAIR_VARIANT_NON_NULL("mountOptions", mount_options),
+ SD_JSON_BUILD_PAIR_BOOLEAN("relaxExtensionReleaseChecks", mount_options_relax_extension_release_checks(options)),
SD_JSON_BUILD_PAIR_BOOLEAN("veritySharing", FLAGS_SET(flags, DISSECT_IMAGE_VERITY_SHARE)),
SD_JSON_BUILD_PAIR_CONDITION(verity_data_fd >= 0, "verityDataFileDescriptor", SD_JSON_BUILD_UNSIGNED(userns_fd >= 0 ? 2 : 1)),
SD_JSON_BUILD_PAIR_CONDITION(verity && iovec_is_set(&verity->root_hash), "verityRootHash", JSON_BUILD_IOVEC_HEX(&verity->root_hash)),
projects / thirdparty / systemd.git / commitdiff
