git.ipfire.org Git - thirdparty/systemd.git/commit

author	Lennart Poettering <lennart@poettering.net>
	Mon, 25 Aug 2025 10:26:53 +0000 (12:26 +0200)
committer	Lennart Poettering <lennart@poettering.net>
	Fri, 24 Oct 2025 15:51:00 +0000 (17:51 +0200)
commit	ee327e086e0534645d1c8cb9daa49cd8d7d68d51
tree	b1970618afc72cc7989c4d49160ee4f8622b5742	tree \| snapshot
parent	502f7a2b804370d32adb373e661831f583565075	commit \| diff

discover-image: imply that hidden images are read-only

Marking a whole directory tree OS image as read-only is difficult
privilege-wise, because so far we rely on the FS_IMMUTABLE_FL which is
not accessible to unpriv clients.

One fundamental place where we currently rely on marking images
read-only is for keeping pristine copies of the originally downloaded
image around, which we place in "hidden" image directories. This is
probably the most relevant usecase for the read-only flag. And moreover,
the only usecase for the hidden images are these read-only pristine
copies.

Hence, let's make this work reasonably in the unpriv case, and simply
imply the read-only flag for hidden images. This is strictly speaking a
change in behaviour, but effectively it shouldn't be, because for nspawn
containers that are executed we insist on names that are hostname
compatible, and hidden names aren't (because they start with a dot).

src/dissect/dissect.c		diff \| blob \| blame \| history
src/import/importd.c		diff \| blob \| blame \| history
src/machine/image-dbus.c		diff \| blob \| blame \| history
src/machine/machined-dbus.c		diff \| blob \| blame \| history
src/machine/machined-varlink.c		diff \| blob \| blame \| history
src/nspawn/nspawn.c		diff \| blob \| blame \| history
src/portable/portabled-bus.c		diff \| blob \| blame \| history
src/portable/portabled-image-bus.c		diff \| blob \| blame \| history
src/shared/discover-image.c		diff \| blob \| blame \| history
src/shared/discover-image.h		diff \| blob \| blame \| history