From 2ab3a2b44c582dc4aeb90cb0bc3c19b6b68db5a1 Mon Sep 17 00:00:00 2001 From: Kai Lueke Date: Thu, 20 Nov 2025 23:43:55 +0900 Subject: [PATCH] sysext: Use correct image name for extension release checks For the extension release check the image name is needed and was derived from the backing file of the loop device. However, this can have a different name when symlinks were resolved. The surprising behavior was that it worked when the target name started with the extension name and _ because that's what's supported to chop off version suffixes. However, we should not have such strict requirements for the target name and also allow - as version separator and entirely different names/prefixes, the same way as we also do for directories instead of raw images. Do not use the image name derived from the backing file of the loop device but directly the extension name we have at hand. --- src/shared/discover-image.c | 5 +++++ src/sysext/sysext.c | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/src/shared/discover-image.c b/src/shared/discover-image.c index 9a7cef5a7c1..92229f603a8 100644 --- a/src/shared/discover-image.c +++ b/src/shared/discover-image.c @@ -2136,6 +2136,11 @@ int image_read_metadata(Image *i, const char *root, const ImagePolicy *image_pol if (r < 0) return log_debug_errno(r, "Failed to decrypt image '%s': %m", i->path); + /* Do not use the image name derived from the backing file of the loop device */ + r = free_and_strdup(&m->image_name, i->name); + if (r < 0) + return r; + r = dissected_image_acquire_metadata( m, /* userns_fd= */ -EBADF, diff --git a/src/sysext/sysext.c b/src/sysext/sysext.c index 072181ea46f..c88a6435e43 100644 --- a/src/sysext/sysext.c +++ b/src/sysext/sysext.c @@ -1910,6 +1910,11 @@ static int merge_subprocess( if (r < 0) return r; + /* Do not use the image name derived from the backing file of the loop device */ + r = free_and_strdup(&m->image_name, img->name); + if (r < 0) + return r; + r = dissected_image_load_verity_sig_partition( m, d->fd, -- 2.47.3