From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 13 Dec 2022 15:27:38 +0000 (+0100)
Subject: discover-image: automaticaly pick up sysext images from /.extra/sysext
X-Git-Tag: v254-rc1~748^2~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=73740c9f842a6fda8bba9af65dff82658a9aec90;p=thirdparty%2Fsystemd.git

discover-image: automaticaly pick up sysext images from /.extra/sysext
---

diff --git a/src/shared/discover-image.c b/src/shared/discover-image.c
index 86ff5d6d93a..df3d5b77656 100644
--- a/src/shared/discover-image.c
+++ b/src/shared/discover-image.c
@@ -28,6 +28,7 @@
 #include "hashmap.h"
 #include "hostname-setup.h"
 #include "id128-util.h"
+#include "initrd-util.h"
 #include "lock-util.h"
 #include "log.h"
 #include "loop-util.h"
@@ -68,6 +69,19 @@ static const char* const image_search_path[_IMAGE_CLASS_MAX] = {
                             "/var/lib/extensions\0",        /* the main place for images */
 };
 
+/* Inside the initrd, use a slightly different set of search path (i.e. include .extra/sysext in extension
+ * search dir) */
+static const char* const image_search_path_initrd[_IMAGE_CLASS_MAX] = {
+        /* (entries that aren't listed here will get the same search path as for the non initrd-case) */
+
+        [IMAGE_EXTENSION] = "/etc/extensions\0"             /* only place symlinks here */
+                            "/run/extensions\0"             /* and here too */
+                            "/var/lib/extensions\0"         /* the main place for images */
+                            "/usr/local/lib/extensions\0"
+                            "/usr/lib/extensions\0"
+                            "/.extra/sysext\0"              /* put sysext picked up by systemd-stub last, since not trusted */
+};
+
 static Image *image_free(Image *i) {
         assert(i);
 
@@ -441,6 +455,14 @@ static int image_make(
         return -EMEDIUMTYPE;
 }
 
+static const char *pick_image_search_path(ImageClass class) {
+        if (class < 0 || class >= _IMAGE_CLASS_MAX)
+                return NULL;
+
+        /* Use the initrd search path if there is one, otherwise use the common one */
+        return in_initrd() && image_search_path_initrd[class] ? image_search_path_initrd[class] : image_search_path[class];
+}
+
 int image_find(ImageClass class,
                const char *name,
                const char *root,
@@ -456,7 +478,7 @@ int image_find(ImageClass class,
         if (!image_name_is_valid(name))
                 return -ENOENT;
 
-        NULSTR_FOREACH(path, image_search_path[class]) {
+        NULSTR_FOREACH(path, pick_image_search_path(class)) {
                 _cleanup_free_ char *resolved = NULL;
                 _cleanup_closedir_ DIR *d = NULL;
                 struct stat st;
@@ -555,7 +577,7 @@ int image_discover(
         assert(class < _IMAGE_CLASS_MAX);
         assert(h);
 
-        NULSTR_FOREACH(path, image_search_path[class]) {
+        NULSTR_FOREACH(path, pick_image_search_path(class)) {
                 _cleanup_free_ char *resolved = NULL;
                 _cleanup_closedir_ DIR *d = NULL;
 
@@ -1284,7 +1306,7 @@ bool image_in_search_path(
 
         assert(image);
 
-        NULSTR_FOREACH(path, image_search_path[class]) {
+        NULSTR_FOREACH(path, pick_image_search_path(class)) {
                 const char *p, *q;
                 size_t k;
 
diff --git a/units/systemd-sysext.service b/units/systemd-sysext.service
index 9a8d4ebc5f8..5999d38d35c 100644
--- a/units/systemd-sysext.service
+++ b/units/systemd-sysext.service
@@ -15,6 +15,7 @@ ConditionCapability=CAP_SYS_ADMIN
 ConditionDirectoryNotEmpty=|/etc/extensions
 ConditionDirectoryNotEmpty=|/run/extensions
 ConditionDirectoryNotEmpty=|/var/lib/extensions
+ConditionDirectoryNotEmpty=|/.extra/sysext
 
 DefaultDependencies=no
 After=local-fs.target