From: Daan De Meyer Date: Thu, 23 Mar 2023 12:48:42 +0000 (+0100) Subject: namespace: Load sidecar verity settings in apply_mount_namespace() X-Git-Tag: v254-rc1~155^2~7 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=66130f0a55c9b8e0cda869a21674749dcb70e83a;p=thirdparty%2Fsystemd.git namespace: Load sidecar verity settings in apply_mount_namespace() Let's reduce the argument count of setup_namespace() a bit by loading the sidecar verity settings in apply_mount_namespace(). This will also make it possible to pass file descriptors to the root image/directory into setup_namespace() as before this wasn't possible because the verity settings logic looks for sidecar files next to the root image which requires the path to be available. --- diff --git a/src/core/execute.c b/src/core/execute.c index e46875f5b0f..204c5a1f8c7 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -3823,6 +3823,62 @@ static bool insist_on_sandboxing( return false; } +static int verity_settings_prepare( + VeritySettings *verity, + const char *root_image, + const void *root_hash, + size_t root_hash_size, + const char *root_hash_path, + const void *root_hash_sig, + size_t root_hash_sig_size, + const char *root_hash_sig_path, + const char *verity_data_path) { + + int r; + + assert(verity); + + if (root_hash) { + void *d; + + d = memdup(root_hash, root_hash_size); + if (!d) + return -ENOMEM; + + free_and_replace(verity->root_hash, d); + verity->root_hash_size = root_hash_size; + verity->designator = PARTITION_ROOT; + } + + if (root_hash_sig) { + void *d; + + d = memdup(root_hash_sig, root_hash_sig_size); + if (!d) + return -ENOMEM; + + free_and_replace(verity->root_hash_sig, d); + verity->root_hash_sig_size = root_hash_sig_size; + verity->designator = PARTITION_ROOT; + } + + if (verity_data_path) { + r = free_and_strdup(&verity->data_path, verity_data_path); + if (r < 0) + return r; + } + + r = verity_settings_load( + verity, + root_image, + root_hash_path, + root_hash_sig_path); + if (r < 0) + return log_debug_errno(r, "Failed to load root hash: %m"); + + return 0; +} + static int apply_mount_namespace( const Unit *u, ExecCommandFlags command_flags, @@ -3832,12 +3888,12 @@ static int apply_mount_namespace( const char *memory_pressure_path, char **error_path) { + _cleanup_(verity_settings_done) VeritySettings verity = VERITY_SETTINGS_DEFAULT; _cleanup_strv_free_ char **empty_directories = NULL, **symlinks = NULL, **read_write_paths_cleanup = NULL; - const char *tmp_dir = NULL, *var_tmp_dir = NULL; - const char *root_dir = NULL, *root_image = NULL; _cleanup_free_ char *creds_path = NULL, *incoming_dir = NULL, *propagate_dir = NULL, *extension_dir = NULL; + const char *root_dir = NULL, *root_image = NULL, *tmp_dir = NULL, *var_tmp_dir = NULL; char **read_write_paths; NamespaceInfo ns_info; bool needs_sandboxing; @@ -3956,6 +4012,17 @@ static int apply_mount_namespace( if (asprintf(&extension_dir, "/run/user/" UID_FMT "/systemd/unit-extensions", geteuid()) < 0) return -ENOMEM; + if (root_image) { + r = verity_settings_prepare( + &verity, + root_image, + context->root_hash, context->root_hash_size, context->root_hash_path, + context->root_hash_sig, context->root_hash_sig_size, context->root_hash_sig_path, + context->root_verity); + if (r < 0) + return r; + } + r = setup_namespace( root_dir, root_image, @@ -3981,9 +4048,7 @@ static int apply_mount_namespace( creds_path, context->log_namespace, context->mount_propagation_flag, - context->root_hash, context->root_hash_size, context->root_hash_path, - context->root_hash_sig, context->root_hash_sig_size, context->root_hash_sig_path, - context->root_verity, + &verity, context->extension_images, context->n_extension_images, context->extension_image_policy ?: &image_policy_sysext, diff --git a/src/core/namespace.c b/src/core/namespace.c index fbcc4505b5a..bf01c5e0284 100644 --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -1967,62 +1967,6 @@ static bool home_read_only( return false; } -static int verity_settings_prepare( - VeritySettings *verity, - const char *root_image, - const void *root_hash, - size_t root_hash_size, - const char *root_hash_path, - const void *root_hash_sig, - size_t root_hash_sig_size, - const char *root_hash_sig_path, - const char *verity_data_path) { - - int r; - - assert(verity); - - if (root_hash) { - void *d; - - d = memdup(root_hash, root_hash_size); - if (!d) - return -ENOMEM; - - free_and_replace(verity->root_hash, d); - verity->root_hash_size = root_hash_size; - verity->designator = PARTITION_ROOT; - } - - if (root_hash_sig) { - void *d; - - d = memdup(root_hash_sig, root_hash_sig_size); - if (!d) - return -ENOMEM; - - free_and_replace(verity->root_hash_sig, d); - verity->root_hash_sig_size = root_hash_sig_size; - verity->designator = PARTITION_ROOT; - } - - if (verity_data_path) { - r = free_and_strdup(&verity->data_path, verity_data_path); - if (r < 0) - return r; - } - - r = verity_settings_load( - verity, - root_image, - root_hash_path, - root_hash_sig_path); - if (r < 0) - return log_debug_errno(r, "Failed to load root hash: %m"); - - return 0; -} - int setup_namespace( const char* root_directory, const char* root_image, @@ -2048,13 +1992,7 @@ int setup_namespace( const char *creds_path, const char *log_namespace, unsigned long mount_propagation_flag, - const void *root_hash, - size_t root_hash_size, - const char *root_hash_path, - const void *root_hash_sig, - size_t root_hash_sig_size, - const char *root_hash_sig_path, - const char *verity_data_path, + VeritySettings *verity, const MountImage *extension_images, size_t n_extension_images, const ImagePolicy *extension_image_policy, @@ -2067,7 +2005,6 @@ int setup_namespace( _cleanup_(loop_device_unrefp) LoopDevice *loop_device = NULL; _cleanup_(dissected_image_unrefp) DissectedImage *dissected_image = NULL; - _cleanup_(verity_settings_done) VeritySettings verity = VERITY_SETTINGS_DEFAULT; _cleanup_strv_free_ char **hierarchies = NULL; MountEntry *m = NULL, *mounts = NULL; bool require_prefix = false, setup_propagate = false; @@ -2107,16 +2044,7 @@ int setup_namespace( strv_isempty(read_write_paths)) dissect_image_flags |= DISSECT_IMAGE_READ_ONLY; - r = verity_settings_prepare( - &verity, - root_image, - root_hash, root_hash_size, root_hash_path, - root_hash_sig, root_hash_sig_size, root_hash_sig_path, - verity_data_path); - if (r < 0) - return r; - - SET_FLAG(dissect_image_flags, DISSECT_IMAGE_NO_PARTITION_TABLE, verity.data_path); + SET_FLAG(dissect_image_flags, DISSECT_IMAGE_NO_PARTITION_TABLE, verity && verity->data_path); r = loop_device_make_by_path( root_image, @@ -2130,7 +2058,7 @@ int setup_namespace( r = dissect_loop_device( loop_device, - &verity, + verity, root_image_mount_options, root_image_policy, dissect_image_flags, @@ -2141,14 +2069,14 @@ int setup_namespace( r = dissected_image_load_verity_sig_partition( dissected_image, loop_device->fd, - &verity); + verity); if (r < 0) return r; r = dissected_image_decrypt( dissected_image, NULL, - &verity, + verity, dissect_image_flags); if (r < 0) return log_debug_errno(r, "Failed to decrypt dissected image: %m"); diff --git a/src/core/namespace.h b/src/core/namespace.h index 39b510f41d9..4ddd6a7d583 100644 --- a/src/core/namespace.h +++ b/src/core/namespace.h @@ -124,13 +124,7 @@ int setup_namespace( const char *creds_path, const char *log_namespace, unsigned long mount_propagation_flag, - const void *root_hash, - size_t root_hash_size, - const char *root_hash_path, - const void *root_hash_sig, - size_t root_hash_sig_size, - const char *root_hash_sig_path, - const char *root_verity, + VeritySettings *verity, const MountImage *extension_images, size_t n_extension_images, const ImagePolicy *extension_image_policy, diff --git a/src/test/test-namespace.c b/src/test/test-namespace.c index 82be09dd6a6..b6ee628533e 100644 --- a/src/test/test-namespace.c +++ b/src/test/test-namespace.c @@ -197,12 +197,6 @@ TEST(protect_kernel_logs) { NULL, 0, NULL, - 0, - NULL, - NULL, - 0, - NULL, - NULL, NULL, 0, NULL, diff --git a/src/test/test-ns.c b/src/test/test-ns.c index 485069670b4..3a3af3584d4 100644 --- a/src/test/test-ns.c +++ b/src/test/test-ns.c @@ -99,12 +99,6 @@ int main(int argc, char *argv[]) { NULL, 0, NULL, - 0, - NULL, - NULL, - 0, - NULL, - NULL, NULL, 0, NULL,