From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 13 Dec 2022 15:27:48 +0000 (+0100)
Subject: sysext: default to a stricter image policy when reading /.extra/sysext/ DDIs
X-Git-Tag: v254-rc1~748^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a594288d79f27147d95662927aa67c0567deb6cc;p=thirdparty%2Fsystemd.git

sysext: default to a stricter image policy when reading /.extra/sysext/ DDIs
---

diff --git a/src/analyze/analyze-image-policy.c b/src/analyze/analyze-image-policy.c
index e670fe5c4da..026216629c6 100644
--- a/src/analyze/analyze-image-policy.c
+++ b/src/analyze/analyze-image-policy.c
@@ -90,6 +90,8 @@ int verb_image_policy(int argc, char *argv[], void *userdata) {
                  * introspect our own defaults without guaranteeing API safety. */
                 if (streq(argv[i], "@sysext"))
                         p = &image_policy_sysext;
+                else if (streq(argv[i], "@sysext-strict"))
+                        p = &image_policy_sysext_strict;
                 else if (streq(argv[i], "@container"))
                         p = &image_policy_container;
                 else if (streq(argv[i], "@service"))
diff --git a/src/shared/image-policy.c b/src/shared/image-policy.c
index 98c58c09010..5baeac4c5d8 100644
--- a/src/shared/image-policy.c
+++ b/src/shared/image-policy.c
@@ -631,6 +631,16 @@ const ImagePolicy image_policy_sysext = {
         .default_flags = PARTITION_POLICY_IGNORE,
 };
 
+const ImagePolicy image_policy_sysext_strict = {
+        /* For system extensions, requiring signing */
+        .n_policies = 2,
+        .policies = {
+                { PARTITION_ROOT,     PARTITION_POLICY_SIGNED|PARTITION_POLICY_ABSENT },
+                { PARTITION_USR,      PARTITION_POLICY_SIGNED|PARTITION_POLICY_ABSENT },
+        },
+        .default_flags = PARTITION_POLICY_IGNORE,
+};
+
 const ImagePolicy image_policy_container = {
         /* For systemd-nspawn containers we use all partitions, with the exception of swap */
         .n_policies = 8,
diff --git a/src/shared/image-policy.h b/src/shared/image-policy.h
index 278c06c36a6..a5e37642afa 100644
--- a/src/shared/image-policy.h
+++ b/src/shared/image-policy.h
@@ -57,7 +57,8 @@ struct ImagePolicy {
 extern const ImagePolicy image_policy_allow;
 extern const ImagePolicy image_policy_deny;
 extern const ImagePolicy image_policy_ignore;
-extern const ImagePolicy image_policy_sysext;
+extern const ImagePolicy image_policy_sysext;        /* No verity required */
+extern const ImagePolicy image_policy_sysext_strict; /* Signed verity required */
 extern const ImagePolicy image_policy_container;
 extern const ImagePolicy image_policy_service;
 extern const ImagePolicy image_policy_host;
diff --git a/src/sysext/sysext.c b/src/sysext/sysext.c
index ce076f665a6..f784627e820 100644
--- a/src/sysext/sysext.c
+++ b/src/sysext/sysext.c
@@ -410,6 +410,24 @@ static int strverscmp_improvedp(char *const* a, char *const* b) {
         return strverscmp_improved(*a, *b);
 }
 
+static const ImagePolicy *pick_image_policy(const Image *img) {
+        assert(img);
+        assert(img->path);
+
+        /* Explicitly specified policy always wins */
+        if (arg_image_policy)
+                return arg_image_policy;
+
+        /* If located in /.extra/sysext/ in the initrd, then it was placed there by systemd-stub, and was
+         * picked up from an untrusted ESP. Thus, require a stricter policy by default for them. (For the
+         * other directories we assume the appropriate level of trust was already established already.  */
+
+        if (in_initrd() && path_startswith(img->path, "/.extra/sysext/"))
+                return &image_policy_sysext_strict;
+
+        return &image_policy_sysext;
+}
+
 static int merge_subprocess(Hashmap *images, const char *workspace) {
         _cleanup_free_ char *host_os_release_id = NULL, *host_os_release_version_id = NULL, *host_os_release_sysext_level = NULL,
                 *buf = NULL;
@@ -526,7 +544,7 @@ static int merge_subprocess(Hashmap *images, const char *workspace) {
                                         d,
                                         &verity_settings,
                                         /* mount_options= */ NULL,
-                                        arg_image_policy ?: &image_policy_sysext,
+                                        pick_image_policy(img),
                                         flags,
                                         &m);
                         if (r < 0)
diff --git a/src/test/test-image-policy.c b/src/test/test-image-policy.c
index 8dc2044c4a5..41941704d42 100644
--- a/src/test/test-image-policy.c
+++ b/src/test/test-image-policy.c
@@ -77,6 +77,7 @@ TEST_RET(test_image_policy_to_string) {
         test_policy(&image_policy_ignore, "-");
         test_policy(&image_policy_deny, "~");
         test_policy(&image_policy_sysext, "sysext");
+        test_policy(&image_policy_sysext_strict, "sysext-strict");
         test_policy(&image_policy_container, "container");
         test_policy(&image_policy_host, "host");
         test_policy(&image_policy_service, "service");