This is useful when we start to call mountfsd from root, for example
from the tests where we just use a simple squashfs/erofs.
Note that this requires the caller to be root, and it will be rejected
otherwise, as such images are classified as 'unprotected' and the
enforced policy does not accept them for unprivileged users.
DISSECT_IMAGE_ADD_PARTITION_DEVICES |
DISSECT_IMAGE_PIN_PARTITION_DEVICES |
(p.verity_sharing ? DISSECT_IMAGE_VERITY_SHARE : 0) |
- (p.verity_data_fd_idx != UINT_MAX ? DISSECT_IMAGE_NO_PARTITION_TABLE : 0) |
+ /* Maybe the image is a bare filesystem. Note that this requires privileges, as it is
+ * classified by the policy as an 'unprotected' image and will be refused otherwise. */
+ DISSECT_IMAGE_NO_PARTITION_TABLE |
DISSECT_IMAGE_ALLOW_USERSPACE_VERITY;
/* Let's see if we have acquired the privilege to mount untrusted images already */
mv /tmp/app0.roothash.p7s.bak /tmp/app0.roothash.p7s
fi
+# Bare squashfs without any verity or signature also should be rejected, even if we ask to trust it
+(! systemd-run -M testuser@ --user --pipe --wait \
+ --property ExtensionImages=/tmp/app1.raw \
+ true)
+(! systemd-run -M testuser@ --user --pipe --wait \
+ --property ExtensionImages=/tmp/app1.raw \
+ --property ExtensionImagePolicy=root=verity+signed+unprotected+absent:usr=verity+signed+unprotected+absent \
+ true)
+
# Install key in keychain
mkdir -p /run/verity.d
cp /tmp/test-50-unpriv-cert.crt /run/verity.d/
projects / thirdparty / systemd.git / commitdiff
