From f1395724f608f8d192615235daaca0cec7ad1c93 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 18 Mar 2025 16:46:27 +0100 Subject: [PATCH] dissect-image: add a concept for "filtering" partitions we dissect DDIs may contain multiple versions of the same OS, or even multiple OSes. Hence it makes sense to not just pick the "newest", whatever that might be, but only partitions associated with specific images, or in a specific version. Let's a concept for such filtering: a per-designator glob expression that can be applied to the partition label string, and can be used for such filtering. Usecase: when picking UKI belonging to OS image X in version Y, make sure we only pick a /usr/ partition belonging to X in version Y, and a root and home partition belonging to X in any version. This only adds the basic infrastructure, but doesn't actually expose it anywhere. --- src/core/namespace.c | 2 + src/dissect/dissect.c | 6 +- src/gpt-auto-generator/gpt-auto-generator.c | 1 + src/mountfsd/mountwork.c | 1 + src/nspawn/nspawn.c | 3 +- src/portable/portable.c | 1 + src/shared/discover-image.c | 1 + src/shared/dissect-image.c | 114 +++++++++++++++++++- src/shared/dissect-image.h | 21 +++- src/shared/mount-util.c | 2 + src/sysext/sysext.c | 1 + src/test/meson.build | 1 + src/test/test-image-filter.c | 39 +++++++ src/test/test-loop-block.c | 45 +++++++- src/udev/udev-builtin-dissect_image.c | 2 + src/vmspawn/vmspawn.c | 1 + 16 files changed, 224 insertions(+), 17 deletions(-) create mode 100644 src/test/test-image-filter.c diff --git a/src/core/namespace.c b/src/core/namespace.c index fac3c05f61e..2912f819e9c 100644 --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -1507,6 +1507,7 @@ static int mount_image( mount_entry_path(m), m->image_options_const, image_policy, + /* image_filter= */ NULL, host_os_release_id, host_os_release_version_id, host_os_release_sysext_level, @@ -2352,6 +2353,7 @@ int setup_namespace(const NamespaceParameters *p, char **reterr_path) { p->verity, p->root_image_options, p->root_image_policy, + /* image_filter= */ NULL, dissect_image_flags, &dissected_image); if (r < 0) diff --git a/src/dissect/dissect.c b/src/dissect/dissect.c index 06d6d3935f1..fda688b21e1 100644 --- a/src/dissect/dissect.c +++ b/src/dissect/dissect.c @@ -2106,10 +2106,11 @@ static int action_validate(void) { r = dissect_image_file_and_warn( arg_image, &arg_verity_settings, - NULL, + /* mount_options= */ NULL, arg_image_policy, + /* image_filter= */ NULL, arg_flags, - NULL); + /* ret= */ NULL); if (r < 0) return r; @@ -2231,6 +2232,7 @@ static int run(int argc, char *argv[]) { &arg_verity_settings, /* mount_options= */ NULL, arg_image_policy, + /* image_filter= */ NULL, arg_flags, &m); if (r < 0) diff --git a/src/gpt-auto-generator/gpt-auto-generator.c b/src/gpt-auto-generator/gpt-auto-generator.c index b9b5b60da88..f1a4f9cca53 100644 --- a/src/gpt-auto-generator/gpt-auto-generator.c +++ b/src/gpt-auto-generator/gpt-auto-generator.c @@ -1103,6 +1103,7 @@ static int enumerate_partitions(dev_t devnum) { /* verity= */ NULL, /* mount_options= */ NULL, image_policy, + /* image_filter= */ NULL, DISSECT_IMAGE_GPT_ONLY| DISSECT_IMAGE_USR_NO_ROOT| DISSECT_IMAGE_DISKSEQ_DEVNODE| diff --git a/src/mountfsd/mountwork.c b/src/mountfsd/mountwork.c index adbb91d8a0d..a693419eec7 100644 --- a/src/mountfsd/mountwork.c +++ b/src/mountfsd/mountwork.c @@ -414,6 +414,7 @@ static int vl_method_mount_image( &verity, /* mount_options= */ NULL, use_policy, + /* image_filter= */ NULL, dissect_flags, &di); if (r == -ENOPKG) diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 32796375c54..17b0c85185b 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -6370,8 +6370,9 @@ static int run(int argc, char *argv[]) { r = dissect_loop_device_and_warn( loop, &arg_verity_settings, - /* mount_options=*/ NULL, + /* mount_options= */ NULL, arg_image_policy ?: &image_policy_container, + /* image_filter= */ NULL, dissect_image_flags, &dissected_image); if (r == -ENOPKG) { diff --git a/src/portable/portable.c b/src/portable/portable.c index 84fc4fa7064..a70484eb662 100644 --- a/src/portable/portable.c +++ b/src/portable/portable.c @@ -425,6 +425,7 @@ static int portable_extract_by_path( /* verity= */ NULL, /* mount_options= */ NULL, image_policy, + /* image_filter= */ NULL, flags, &m); if (r == -ENOPKG) diff --git a/src/shared/discover-image.c b/src/shared/discover-image.c index f9a1b2ffaa5..721ad2d0f20 100644 --- a/src/shared/discover-image.c +++ b/src/shared/discover-image.c @@ -1726,6 +1726,7 @@ int image_read_metadata(Image *i, const ImagePolicy *image_policy) { /* verity= */ NULL, /* mount_options= */ NULL, image_policy, + /* image_filter= */ NULL, flags, &m); if (r < 0) diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c index 660a05379f3..ca9b8d985bb 100644 --- a/src/shared/dissect-image.c +++ b/src/shared/dissect-image.c @@ -667,6 +667,18 @@ static int compare_arch(Architecture a, Architecture b) { return 0; } +static bool image_filter_test(const ImageFilter *filter, PartitionDesignator d, const char *name) { + assert(d < _PARTITION_DESIGNATOR_MAX); + + if (d < 0) /* For unspecified designators we have no filter expression */ + return true; + + if (!filter || !filter->pattern[d]) + return true; + + return fnmatch(filter->pattern[d], strempty(name), FNM_NOESCAPE) == 0; +} + static int dissect_image( DissectedImage *m, int fd, @@ -674,6 +686,7 @@ static int dissect_image( const VeritySettings *verity, const MountOptions *mount_options, const ImagePolicy *policy, + const ImageFilter *filter, DissectImageFlags flags) { sd_id128_t root_uuid = SD_ID128_NULL, root_verity_uuid = SD_ID128_NULL; @@ -792,6 +805,9 @@ static int dissect_image( /* OK, we have found a file system, that's our root partition then. */ + if (!image_filter_test(filter, PARTITION_ROOT, /* label= */ NULL)) /* do a filter check with an empty partition label */ + return -ECOMM; + r = image_policy_may_use(policy, PARTITION_ROOT); if (r < 0) return r; @@ -1006,6 +1022,9 @@ static int dissect_image( if (streq_ptr(label, "_empty")) continue; + if (!image_filter_test(filter, type.designator, label)) + continue; + log_debug("Dissecting %s partition with label %s and UUID %s", strna(partition_designator_to_string(type.designator)), strna(label), SD_ID128_TO_UUID_STRING(id)); @@ -1162,6 +1181,9 @@ static int dissect_image( /* We don't have a designator for SD_GPT_LINUX_GENERIC so check the UUID instead. */ } else if (sd_id128_equal(type.uuid, SD_GPT_LINUX_GENERIC)) { + if (!image_filter_test(filter, PARTITION_ROOT, label)) + continue; + check_partition_flags(node, pflags, SD_GPT_FLAG_NO_AUTO | SD_GPT_FLAG_READ_ONLY | SD_GPT_FLAG_GROWFS); @@ -1307,6 +1329,9 @@ static int dissect_image( if (pflags != 0x80) /* Bootable flag */ continue; + if (!image_filter_test(filter, PARTITION_ROOT, /* label= */ NULL)) + continue; + if (generic_node) multiple_generic = true; else { @@ -1324,6 +1349,9 @@ static int dissect_image( sd_id128_t id = SD_ID128_NULL; const char *options = NULL; + if (!image_filter_test(filter, PARTITION_XBOOTLDR, /* label= */ NULL)) + continue; + r = image_policy_may_use(policy, PARTITION_XBOOTLDR); if (r < 0) return r; @@ -1570,6 +1598,7 @@ int dissect_image_file( const VeritySettings *verity, const MountOptions *mount_options, const ImagePolicy *image_policy, + const ImageFilter *image_filter, DissectImageFlags flags, DissectedImage **ret) { @@ -1602,7 +1631,7 @@ int dissect_image_file( if (r < 0) return r; - r = dissect_image(m, fd, path, verity, mount_options, image_policy, flags); + r = dissect_image(m, fd, path, verity, mount_options, image_policy, image_filter, flags); if (r < 0) return r; @@ -1672,12 +1701,13 @@ int dissect_image_file_and_warn( const VeritySettings *verity, const MountOptions *mount_options, const ImagePolicy *image_policy, + const ImageFilter *image_filter, DissectImageFlags flags, DissectedImage **ret) { return dissect_log_error( LOG_ERR, - dissect_image_file(path, verity, mount_options, image_policy, flags, ret), + dissect_image_file(path, verity, mount_options, image_policy, image_filter, flags, ret), path, verity); } @@ -3134,6 +3164,68 @@ int dissected_image_relinquish(DissectedImage *m) { return 0; } +void image_filter_done(ImageFilter *f) { + assert(f); + + FOREACH_ELEMENT(p, f->pattern) + *p = mfree(*p); +} + +ImageFilter *image_filter_free(ImageFilter *f) { + if (!f) + return NULL; + + image_filter_done(f); + return mfree(f); +} + +int image_filter_parse(const char *s, ImageFilter **ret) { + _cleanup_(image_filter_freep) ImageFilter *f = NULL; + int r; + + if (isempty(s)) { + if (ret) + *ret = NULL; + return 0; + } + + for (;;) { + _cleanup_free_ char *word = NULL; + + r = extract_first_word(&s, &word, ":", EXTRACT_UNQUOTE|EXTRACT_DONT_COALESCE_SEPARATORS); + if (r < 0) + return log_debug_errno(r, "Failed to extract word: %m"); + if (r == 0) + break; + + _cleanup_free_ char *designator = NULL, *pattern = NULL; + const char *x = word; + r = extract_many_words(&x, "=", EXTRACT_UNQUOTE|EXTRACT_DONT_COALESCE_SEPARATORS, &designator, &pattern); + if (r < 0) + return log_debug_errno(r, "Failed to extract designator: %m"); + if (r != 2 || !isempty(x)) + return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Unable to split: %m"); + + PartitionDesignator d = partition_designator_from_string(designator); + if (d < 0) + return log_debug_errno(d, "Failed to parse partition designator: %s", designator); + + if (!f) { + f = new0(ImageFilter, 1); + if (!f) + return log_oom_debug(); + } else if (f->pattern[d]) + return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Duplicate pattern for '%s', refusing.", partition_designator_to_string(d)); + + f->pattern[d] = TAKE_PTR(pattern); + } + + if (ret) + *ret = TAKE_PTR(f); + + return 0; +} + static char *build_auxiliary_path(const char *image, const char *suffix) { const char *e; char *n; @@ -3940,6 +4032,7 @@ int dissect_loop_device( const VeritySettings *verity, const MountOptions *mount_options, const ImagePolicy *image_policy, + const ImageFilter *image_filter, DissectImageFlags flags, DissectedImage **ret) { @@ -3957,7 +4050,15 @@ int dissect_loop_device( m->image_size = m->loop->device_size; m->sector_size = m->loop->sector_size; - r = dissect_image(m, loop->fd, loop->node, verity, mount_options, image_policy, flags); + r = dissect_image( + m, + loop->fd, + loop->node, + verity, + mount_options, + image_policy, + image_filter, + flags); if (r < 0) return r; @@ -3975,6 +4076,7 @@ int dissect_loop_device_and_warn( const VeritySettings *verity, const MountOptions *mount_options, const ImagePolicy *image_policy, + const ImageFilter *image_filter, DissectImageFlags flags, DissectedImage **ret) { @@ -3982,7 +4084,7 @@ int dissect_loop_device_and_warn( return dissect_log_error( LOG_ERR, - dissect_loop_device(loop, verity, mount_options, image_policy, flags, ret), + dissect_loop_device(loop, verity, mount_options, image_policy, image_filter, flags, ret), loop->backing_file ?: loop->node, verity); } @@ -4101,6 +4203,7 @@ int mount_image_privately_interactively( &verity, /* mount_options= */ NULL, image_policy, + /* image_filter= */ NULL, flags, &dissected_image); if (r < 0) @@ -4182,6 +4285,7 @@ int verity_dissect_and_mount( const char *dest, const MountOptions *options, const ImagePolicy *image_policy, + const ImageFilter *image_filter, const char *required_host_os_release_id, const char *required_host_os_release_version_id, const char *required_host_os_release_sysext_level, @@ -4239,6 +4343,7 @@ int verity_dissect_and_mount( verity, options, image_policy, + image_filter, dissect_image_flags, &dissected_image); /* No partition table? Might be a single-filesystem image, try again */ @@ -4248,6 +4353,7 @@ int verity_dissect_and_mount( verity, options, image_policy, + image_filter, dissect_image_flags | DISSECT_IMAGE_NO_PARTITION_TABLE, &dissected_image); if (r < 0) diff --git a/src/shared/dissect-image.h b/src/shared/dissect-image.h index 8725ff9921a..3d919a65e0f 100644 --- a/src/shared/dissect-image.h +++ b/src/shared/dissect-image.h @@ -19,6 +19,7 @@ typedef struct DissectedPartition DissectedPartition; typedef struct DecryptedImage DecryptedImage; typedef struct MountOptions MountOptions; typedef struct VeritySettings VeritySettings; +typedef struct ImageFilter ImageFilter; struct DissectedPartition { bool found:1; @@ -148,6 +149,11 @@ struct VeritySettings { .designator = _PARTITION_DESIGNATOR_INVALID \ } +struct ImageFilter { + /* A per designator glob matching against the partition label */ + char *pattern[_PARTITION_DESIGNATOR_MAX]; +}; + /* We include image-policy.h down here, since ImagePolicy wants a complete definition of PartitionDesignator first. */ #include "image-policy.h" @@ -161,10 +167,10 @@ static inline int probe_filesystem(const char *path, char **ret_fstype) { } int dissect_log_error(int log_level, int r, const char *name, const VeritySettings *verity); -int dissect_image_file(const char *path, const VeritySettings *verity, const MountOptions *mount_options, const ImagePolicy *image_policy, DissectImageFlags flags, DissectedImage **ret); -int dissect_image_file_and_warn(const char *path, const VeritySettings *verity, const MountOptions *mount_options, const ImagePolicy *image_policy, DissectImageFlags flags, DissectedImage **ret); -int dissect_loop_device(LoopDevice *loop, const VeritySettings *verity, const MountOptions *mount_options, const ImagePolicy *image_policy, DissectImageFlags flags, DissectedImage **ret); -int dissect_loop_device_and_warn(LoopDevice *loop, const VeritySettings *verity, const MountOptions *mount_options, const ImagePolicy *image_policy, DissectImageFlags flags, DissectedImage **ret); +int dissect_image_file(const char *path, const VeritySettings *verity, const MountOptions *mount_options, const ImagePolicy *image_policy, const ImageFilter *filter, DissectImageFlags flags, DissectedImage **ret); +int dissect_image_file_and_warn(const char *path, const VeritySettings *verity, const MountOptions *mount_options, const ImagePolicy *image_policy, const ImageFilter *filter, DissectImageFlags flags, DissectedImage **ret); +int dissect_loop_device(LoopDevice *loop, const VeritySettings *verity, const MountOptions *mount_options, const ImagePolicy *image_policy, const ImageFilter *filter, DissectImageFlags flags, DissectedImage **ret); +int dissect_loop_device_and_warn(LoopDevice *loop, const VeritySettings *verity, const MountOptions *mount_options, const ImagePolicy *image_policy, const ImageFilter *filter, DissectImageFlags flags, DissectedImage **ret); void dissected_image_close(DissectedImage *m); DissectedImage* dissected_image_unref(DissectedImage *m); @@ -201,6 +207,11 @@ DEFINE_TRIVIAL_CLEANUP_FUNC(DecryptedImage*, decrypted_image_unref); int dissected_image_relinquish(DissectedImage *m); +void image_filter_done(ImageFilter *f); +ImageFilter *image_filter_free(ImageFilter *f); +DEFINE_TRIVIAL_CLEANUP_FUNC(ImageFilter*, image_filter_free); +int image_filter_parse(const char *s, ImageFilter **ret); + int verity_settings_load(VeritySettings *verity, const char *image, const char *root_hash_path, const char *root_hash_sig_path); static inline bool verity_settings_set(const VeritySettings *settings) { @@ -237,7 +248,7 @@ bool dissected_image_verity_sig_ready(const DissectedImage *image, PartitionDesi int mount_image_privately_interactively(const char *path, const ImagePolicy *image_policy, DissectImageFlags flags, char **ret_directory, int *ret_dir_fd, LoopDevice **ret_loop_device); -int verity_dissect_and_mount(int src_fd, const char *src, const char *dest, const MountOptions *options, const ImagePolicy *image_policy, const char *required_host_os_release_id, const char *required_host_os_release_version_id, const char *required_host_os_release_sysext_level, const char *required_host_os_release_confext_level, const char *required_sysext_scope, VeritySettings *verity, DissectedImage **ret_image); +int verity_dissect_and_mount(int src_fd, const char *src, const char *dest, const MountOptions *options, const ImagePolicy *image_policy, const ImageFilter *image_filter, const char *required_host_os_release_id, const char *required_host_os_release_version_id, const char *required_host_os_release_sysext_level, const char *required_host_os_release_confext_level, const char *required_sysext_scope, VeritySettings *verity, DissectedImage **ret_image); int dissect_fstype_ok(const char *fstype); diff --git a/src/shared/mount-util.c b/src/shared/mount-util.c index d7471bc78d2..c92e779a87f 100644 --- a/src/shared/mount-util.c +++ b/src/shared/mount-util.c @@ -969,6 +969,7 @@ static int mount_in_namespace_legacy( mount_tmp, options, image_policy, + /* image_filter= */ NULL, /* required_host_os_release_id= */ NULL, /* required_host_os_release_version_id= */ NULL, /* required_host_os_release_sysext_level= */ NULL, @@ -1193,6 +1194,7 @@ static int mount_in_namespace( /* dest= */ NULL, options, image_policy, + /* image_filter= */ NULL, /* required_host_os_release_id= */ NULL, /* required_host_os_release_version_id= */ NULL, /* required_host_os_release_sysext_level= */ NULL, diff --git a/src/sysext/sysext.c b/src/sysext/sysext.c index d2bb992d148..201787b2517 100644 --- a/src/sysext/sysext.c +++ b/src/sysext/sysext.c @@ -1802,6 +1802,7 @@ static int merge_subprocess( &verity_settings, /* mount_options= */ NULL, pick_image_policy(img), + /* image_filter= */ NULL, flags, &m); if (r < 0) diff --git a/src/test/meson.build b/src/test/meson.build index 4ef296a41aa..424e4f55637 100644 --- a/src/test/meson.build +++ b/src/test/meson.build @@ -105,6 +105,7 @@ simple_tests += files( 'test-hostname-setup.c', 'test-hostname-util.c', 'test-id128.c', + 'test-image-filter.c', 'test-image-policy.c', 'test-import-util.c', 'test-in-addr-prefix-util.c', diff --git a/src/test/test-image-filter.c b/src/test/test-image-filter.c new file mode 100644 index 00000000000..d5d157727d6 --- /dev/null +++ b/src/test/test-image-filter.c @@ -0,0 +1,39 @@ +/* SPDX-License-Identifier: LGPL-2.1-or-later */ + +#include "dissect-image.h" +#include "tests.h" + +TEST(image_filter) { + _cleanup_(image_filter_freep) ImageFilter *f = NULL; + + ASSERT_OK(image_filter_parse(NULL, &f)); + ASSERT_NULL(f); + ASSERT_OK(image_filter_parse("", &f)); + ASSERT_NULL(f); + + ASSERT_OK(image_filter_parse("root=*", &f)); + ASSERT_NOT_NULL(f); + ASSERT_STREQ(f->pattern[PARTITION_ROOT], "*"); + f = image_filter_free(f); + + ASSERT_OK(image_filter_parse("usr=foox?:root=kn*arz", &f)); + ASSERT_NOT_NULL(f); + ASSERT_STREQ(f->pattern[PARTITION_ROOT], "kn*arz"); + ASSERT_STREQ(f->pattern[PARTITION_USR], "foox?"); + f = image_filter_free(f); + + ASSERT_OK(image_filter_parse("usr=foox?:root=kn*arz:home=wumpi", &f)); + ASSERT_NOT_NULL(f); + ASSERT_STREQ(f->pattern[PARTITION_ROOT], "kn*arz"); + ASSERT_STREQ(f->pattern[PARTITION_USR], "foox?"); + ASSERT_STREQ(f->pattern[PARTITION_HOME], "wumpi"); + f = image_filter_free(f); + + ASSERT_ERROR(image_filter_parse("usr=foox?:root=kn*arz:home=wumpi:schlumpf=smurf", &f), EINVAL); + ASSERT_ERROR(image_filter_parse(":", &f), EINVAL); + ASSERT_ERROR(image_filter_parse("::", &f), EINVAL); + ASSERT_ERROR(image_filter_parse("-", &f), EINVAL); + ASSERT_ERROR(image_filter_parse("root=knuff:root=knuff", &f), EINVAL); +} + +DEFINE_TEST_MAIN(LOG_INFO); diff --git a/src/test/test-loop-block.c b/src/test/test-loop-block.c index c18582795b6..c2addc59243 100644 --- a/src/test/test-loop-block.c +++ b/src/test/test-loop-block.c @@ -81,7 +81,14 @@ static void* thread_func(void *ptr) { log_notice("Acquired loop device %s, will mount on %s", loop->node, mounted); - r = dissect_loop_device(loop, NULL, NULL, NULL, DISSECT_IMAGE_READ_ONLY|DISSECT_IMAGE_ADD_PARTITION_DEVICES|DISSECT_IMAGE_PIN_PARTITION_DEVICES, &dissected); + r = dissect_loop_device( + loop, + /* verity= */ NULL, + /* mount_options= */ NULL, + /* image_policy= */ NULL, + /* image_filter= */ NULL, + DISSECT_IMAGE_READ_ONLY|DISSECT_IMAGE_ADD_PARTITION_DEVICES|DISSECT_IMAGE_PIN_PARTITION_DEVICES, + &dissected); if (r < 0) log_error_errno(r, "Failed dissect loopback device %s: %m", loop->node); assert_se(r >= 0); @@ -218,7 +225,14 @@ static int run(int argc, char *argv[]) { sfdisk = NULL; #if HAVE_BLKID - assert_se(dissect_image_file(p, NULL, NULL, NULL, 0, &dissected) >= 0); + assert_se(dissect_image_file( + p, + /* verity= */ NULL, + /* mount_options= */ NULL, + /* image_policy= */ NULL, + /* image_filter= */ NULL, + /* flags= */ 0, + &dissected) >= 0); verify_dissected_image(dissected); dissected = dissected_image_unref(dissected); #endif @@ -232,7 +246,14 @@ static int run(int argc, char *argv[]) { assert_se(loop_device_make(fd, O_RDWR, 0, UINT64_MAX, 0, LO_FLAGS_PARTSCAN, LOCK_EX, &loop) >= 0); #if HAVE_BLKID - assert_se(dissect_loop_device(loop, NULL, NULL, NULL, DISSECT_IMAGE_ADD_PARTITION_DEVICES|DISSECT_IMAGE_PIN_PARTITION_DEVICES, &dissected) >= 0); + assert_se(dissect_loop_device( + loop, + /* verity= */ NULL, + /* mount_options= */ NULL, + /* image_policy= */ NULL, + /* image_filter= */ NULL, + DISSECT_IMAGE_ADD_PARTITION_DEVICES|DISSECT_IMAGE_PIN_PARTITION_DEVICES, + &dissected) >= 0); verify_dissected_image(dissected); FOREACH_STRING(fs, "vfat", "ext4") { @@ -268,12 +289,26 @@ static int run(int argc, char *argv[]) { /* Try to read once, without pinning or adding partitions, i.e. by only accessing the whole block * device. */ - assert_se(dissect_loop_device(loop, NULL, NULL, NULL, 0, &dissected) >= 0); + assert_se(dissect_loop_device( + loop, + /* verity= */ NULL, + /* mount_options= */ NULL, + /* image_policy= */ NULL, + /* image_filter= */ NULL, + /* flags= */ 0, + &dissected) >= 0); verify_dissected_image_harder(dissected); dissected = dissected_image_unref(dissected); /* Now go via the loopback device after all, but this time add/pin, because now we want to mount it. */ - assert_se(dissect_loop_device(loop, NULL, NULL, NULL, DISSECT_IMAGE_ADD_PARTITION_DEVICES|DISSECT_IMAGE_PIN_PARTITION_DEVICES, &dissected) >= 0); + assert_se(dissect_loop_device( + loop, + /* verity= */ NULL, + /* mount_options= */ NULL, + /* image_policy= */ NULL, + /* image_filter= */ NULL, + DISSECT_IMAGE_ADD_PARTITION_DEVICES|DISSECT_IMAGE_PIN_PARTITION_DEVICES, + &dissected) >= 0); verify_dissected_image_harder(dissected); assert_se(mkdtemp_malloc(NULL, &mounted) >= 0); diff --git a/src/udev/udev-builtin-dissect_image.c b/src/udev/udev-builtin-dissect_image.c index 3a598952aca..f4acd41409e 100644 --- a/src/udev/udev-builtin-dissect_image.c +++ b/src/udev/udev-builtin-dissect_image.c @@ -121,6 +121,7 @@ static int verb_probe(UdevEvent *event, sd_device *dev) { &arg_verity_settings, /* mount_options= */ NULL, image_policy, + /* image_filter= */ NULL, DISSECT_IMAGE_READ_ONLY| DISSECT_IMAGE_GPT_ONLY| DISSECT_IMAGE_USR_NO_ROOT| @@ -167,6 +168,7 @@ static int verb_probe(UdevEvent *event, sd_device *dev) { &arg_verity_settings, /* mount_options= */ NULL, image_policy_mangled, + /* image_filter= */ NULL, DISSECT_IMAGE_READ_ONLY| DISSECT_IMAGE_GPT_ONLY| DISSECT_IMAGE_USR_NO_ROOT| diff --git a/src/vmspawn/vmspawn.c b/src/vmspawn/vmspawn.c index 4629cf0e79a..cbf7badbfe7 100644 --- a/src/vmspawn/vmspawn.c +++ b/src/vmspawn/vmspawn.c @@ -1194,6 +1194,7 @@ static int discover_root(char **ret) { /* verity= */ NULL, /* mount_options= */ NULL, /* image_policy= */ NULL, + /* image_filter= */ NULL, /* flags= */ 0, &image); if (r < 0) -- 2.47.3