From: Luca Boccassi <luca.boccassi@microsoft.com>
Date: Wed, 19 Jan 2022 00:01:48 +0000 (+0000)
Subject: dissect-image: validate extension-release even if the host has only ID in os-release
X-Git-Tag: v251-rc1~502^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=37361f46d571ad0b71ef99dec6a9b76edbab38bb;p=thirdparty%2Fsystemd.git

dissect-image: validate extension-release even if the host has only ID in os-release

A rolling distro won't set VERSION_ID or SYSEXT_LEVEL in os-release,
which means we skip validation of ExtensionImages.
Validate even with just an ID, the lower level helper already
recognizes and accepts this use case.

Fixes https://github.com/systemd/systemd/issues/22146
---

diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c
index 39a7f4c3f28..14519ead703 100644
--- a/src/shared/dissect-image.c
+++ b/src/shared/dissect-image.c
@@ -3534,9 +3534,9 @@ int verity_dissect_and_mount(
         /* If we got os-release values from the caller, then we need to match them with the image's
          * extension-release.d/ content. Return -EINVAL if there's any mismatch.
          * First, check the distro ID. If that matches, then check the new SYSEXT_LEVEL value if
-         * available, or else fallback to VERSION_ID. */
-        if (required_host_os_release_id &&
-            (required_host_os_release_version_id || required_host_os_release_sysext_level)) {
+         * available, or else fallback to VERSION_ID. If neither is present (eg: rolling release),
+         * then a simple match on the ID will be performed. */
+        if (required_host_os_release_id) {
                 _cleanup_strv_free_ char **extension_release = NULL;
 
                 r = load_extension_release_pairs(dest, dissected_image->image_name, &extension_release);