From 53d49fbf3fec22be03d307f24ae4b9ac6b3db52a Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Tue, 21 Oct 2025 00:37:44 +0100
Subject: [PATCH] mountfsd: allow privileged users to mount bare unprotected
 filesystems

This is useful when we start to call mountfsd from root, for example
from the tests where we just use a simple squashfs/erofs.
Note that this requires the caller to be root, and it will be rejected
otherwise, as such images are classified as 'unprotected' and the
enforced policy does not accept them for unprivileged users.
---
 src/mountfsd/mountwork.c               | 4 +++-
 test/units/TEST-50-DISSECT.mountfsd.sh | 9 +++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/mountfsd/mountwork.c b/src/mountfsd/mountwork.c
index 141d8f62de2..32c0420ad00 100644
--- a/src/mountfsd/mountwork.c
+++ b/src/mountfsd/mountwork.c
@@ -449,7 +449,9 @@ static int vl_method_mount_image(
                 DISSECT_IMAGE_ADD_PARTITION_DEVICES |
                 DISSECT_IMAGE_PIN_PARTITION_DEVICES |
                 (p.verity_sharing ? DISSECT_IMAGE_VERITY_SHARE : 0) |
-                (p.verity_data_fd_idx != UINT_MAX ? DISSECT_IMAGE_NO_PARTITION_TABLE : 0) |
+                /* Maybe the image is a bare filesystem. Note that this requires privileges, as it is
+                 * classified by the policy as an 'unprotected' image and will be refused otherwise. */
+                DISSECT_IMAGE_NO_PARTITION_TABLE |
                 DISSECT_IMAGE_ALLOW_USERSPACE_VERITY;
 
         /* Let's see if we have acquired the privilege to mount untrusted images already */
diff --git a/test/units/TEST-50-DISSECT.mountfsd.sh b/test/units/TEST-50-DISSECT.mountfsd.sh
index cca502dfcb3..92d497903f2 100755
--- a/test/units/TEST-50-DISSECT.mountfsd.sh
+++ b/test/units/TEST-50-DISSECT.mountfsd.sh
@@ -93,6 +93,15 @@ if [ "$VERITY_SIG_SUPPORTED" -eq 1 ]; then
     mv /tmp/app0.roothash.p7s.bak /tmp/app0.roothash.p7s
 fi
 
+# Bare squashfs without any verity or signature also should be rejected, even if we ask to trust it
+(! systemd-run -M testuser@ --user --pipe --wait \
+    --property ExtensionImages=/tmp/app1.raw \
+    true)
+(! systemd-run -M testuser@ --user --pipe --wait \
+    --property ExtensionImages=/tmp/app1.raw \
+    --property ExtensionImagePolicy=root=verity+signed+unprotected+absent:usr=verity+signed+unprotected+absent \
+    true)
+
 # Install key in keychain
 mkdir -p /run/verity.d
 cp /tmp/test-50-unpriv-cert.crt /run/verity.d/
-- 
2.47.3