From: Lennart Poettering Date: Thu, 9 Sep 2021 09:33:03 +0000 (+0200) Subject: dissect-image: tighten checks on root + /usr/ combinations X-Git-Tag: v250-rc1~701^2~2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7b32164f3c666ff00027f7061e677482bf270a9e;p=thirdparty%2Fsystemd.git dissect-image: tighten checks on root + /usr/ combinations Our code logic doesn't support images with two verity partitions at the moment, hence refuse this early (with ENOTUNIQ) Also, go even further and refuse any combinations of verity enabled root with verity-less /usr, simplify because that is unsafe and defeats the point of verity. (i.e. we want to give the guarantee that for auto-discovered verity magic we guarantee that the data afterwards available in /usr is safe). --- diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c index 8a139d4f8c6..9547dad808f 100644 --- a/src/shared/dissect-image.c +++ b/src/shared/dissect-image.c @@ -1390,9 +1390,16 @@ int dissect_image( !(m->partitions[PARTITION_ROOT].found || (m->partitions[PARTITION_USR].found && FLAGS_SET(flags, DISSECT_IMAGE_USR_NO_ROOT)))) return -ENXIO; - /* Combinations of verity /usr with verity-less root is OK, but the reverse is not */ - if (m->partitions[PARTITION_ROOT_VERITY].found && m->partitions[PARTITION_USR].found && !m->partitions[PARTITION_USR_VERITY].found) - return -EADDRNOTAVAIL; + if (m->partitions[PARTITION_ROOT_VERITY].found) { + /* We only support one verity partition per image, i.e. can't do for both /usr and root fs */ + if (m->partitions[PARTITION_USR_VERITY].found) + return -ENOTUNIQ; + + /* We don't support verity enabled root with a split out /usr. Neither with nor without + * verity there. (Note that we do support verity-less root with verity-full /usr, though.) */ + if (m->partitions[PARTITION_USR].found) + return -EADDRNOTAVAIL; + } if (verity && verity->root_hash) { if (verity->designator < 0 || verity->designator == PARTITION_ROOT) {