From: Lennart Poettering Date: Wed, 8 Nov 2023 18:10:44 +0000 (+0100) Subject: confext: make sure we pick up configuration extensions passed to us from the stub X-Git-Tag: v256-rc1~1329^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d4fee8941af312ea70306dd2742aece9da9028db;p=thirdparty%2Fsystemd.git confext: make sure we pick up configuration extensions passed to us from the stub With fixes from Maanya Goenka. --- diff --git a/src/analyze/analyze-image-policy.c b/src/analyze/analyze-image-policy.c index 0146b50c78c..7d4f5498e84 100644 --- a/src/analyze/analyze-image-policy.c +++ b/src/analyze/analyze-image-policy.c @@ -94,6 +94,8 @@ int verb_image_policy(int argc, char *argv[], void *userdata) { p = &image_policy_sysext_strict; else if (streq(argv[i], "@confext")) p = &image_policy_confext; + else if (streq(argv[i], "@confext-strict")) + p = &image_policy_confext_strict; else if (streq(argv[i], "@container")) p = &image_policy_container; else if (streq(argv[i], "@service")) diff --git a/src/shared/discover-image.c b/src/shared/discover-image.c index b3f4c9ab766..3baa84c8bd5 100644 --- a/src/shared/discover-image.c +++ b/src/shared/discover-image.c @@ -75,15 +75,20 @@ static const char* const image_search_path[_IMAGE_CLASS_MAX] = { "/usr/lib/confexts\0", }; -/* Inside the initrd, use a slightly different set of search path (i.e. include .extra/sysext in extension - * search dir) */ +/* Inside the initrd, use a slightly different set of search path (i.e. include .extra/sysext/ and + * .extra/confext/ in extension search dir) */ static const char* const image_search_path_initrd[_IMAGE_CLASS_MAX] = { /* (entries that aren't listed here will get the same search path as for the non initrd-case) */ [IMAGE_SYSEXT] = "/etc/extensions\0" /* only place symlinks here */ "/run/extensions\0" /* and here too */ "/var/lib/extensions\0" /* the main place for images */ - "/.extra/sysext\0" /* put sysext picked up by systemd-stub last, since not trusted */ + "/.extra/sysext\0", /* put sysext picked up by systemd-stub last, since not trusted */ + + [IMAGE_CONFEXT] = "/run/confexts\0" /* only place symlinks here */ + "/var/lib/confexts\0" /* the main place for images */ + "/usr/local/lib/confexts\0" + "/.extra/confext\0", /* put confext picked up by systemd-stub last, since not trusted */ }; static const char* image_class_suffix_table[_IMAGE_CLASS_MAX] = { diff --git a/src/shared/image-policy.c b/src/shared/image-policy.c index 3c3de509798..47ca62c7313 100644 --- a/src/shared/image-policy.c +++ b/src/shared/image-policy.c @@ -726,6 +726,14 @@ const ImagePolicy image_policy_confext = { .default_flags = PARTITION_POLICY_IGNORE, }; +const ImagePolicy image_policy_confext_strict = { + .n_policies = 1, + .policies = { + { PARTITION_ROOT, PARTITION_POLICY_SIGNED|PARTITION_POLICY_ABSENT }, + }, + .default_flags = PARTITION_POLICY_IGNORE, +}; + const ImagePolicy image_policy_container = { /* For systemd-nspawn containers we use all partitions, with the exception of swap */ .n_policies = 8, diff --git a/src/shared/image-policy.h b/src/shared/image-policy.h index f59c16e173b..c2a0a5ac40f 100644 --- a/src/shared/image-policy.h +++ b/src/shared/image-policy.h @@ -58,9 +58,10 @@ struct ImagePolicy { extern const ImagePolicy image_policy_allow; extern const ImagePolicy image_policy_deny; extern const ImagePolicy image_policy_ignore; -extern const ImagePolicy image_policy_sysext; /* No verity required */ -extern const ImagePolicy image_policy_sysext_strict; /* Signed verity required */ -extern const ImagePolicy image_policy_confext; /* No verity required */ +extern const ImagePolicy image_policy_sysext; /* No verity required */ +extern const ImagePolicy image_policy_sysext_strict; /* Signed verity required */ +extern const ImagePolicy image_policy_confext; /* No verity required */ +extern const ImagePolicy image_policy_confext_strict; /* Signed verity required */ extern const ImagePolicy image_policy_container; extern const ImagePolicy image_policy_service; extern const ImagePolicy image_policy_host; diff --git a/src/sysext/sysext.c b/src/sysext/sysext.c index fe11fe0f07c..fc793707814 100644 --- a/src/sysext/sysext.c +++ b/src/sysext/sysext.c @@ -659,8 +659,16 @@ static const ImagePolicy *pick_image_policy(const Image *img) { * picked up from an untrusted ESP. Thus, require a stricter policy by default for them. (For the * other directories we assume the appropriate level of trust was already established already. */ - if (in_initrd() && path_startswith(img->path, "/.extra/sysext/")) - return &image_policy_sysext_strict; + if (in_initrd()) { + if (path_startswith(img->path, "/.extra/sysext/")) + return &image_policy_sysext_strict; + if (path_startswith(img->path, "/.extra/confext/")) + return &image_policy_confext_strict; + + /* Better safe than sorry, refuse everything else passed in via the untrusted /.extra/ dir */ + if (path_startswith(img->path, "/.extra/")) + return &image_policy_deny; + } return image_class_info[img->class].default_image_policy; } diff --git a/src/test/test-image-policy.c b/src/test/test-image-policy.c index d9fe5562a1b..1572093c9dc 100644 --- a/src/test/test-image-policy.c +++ b/src/test/test-image-policy.c @@ -79,6 +79,7 @@ TEST_RET(test_image_policy_to_string) { test_policy(&image_policy_sysext, "sysext"); test_policy(&image_policy_sysext_strict, "sysext-strict"); test_policy(&image_policy_confext, "confext"); + test_policy(&image_policy_confext_strict, "confext-strict"); test_policy(&image_policy_container, "container"); test_policy(&image_policy_host, "host"); test_policy(&image_policy_service, "service");