dasharo/systemd
0
0
Fork 0
mirror of https://github.com/Dasharo/systemd.git synced 2026-03-06 15:02:31 -08:00
Code Issues Packages Projects Releases Wiki Activity

dissect-image: process /usr/ GPT partition type

Browse Source
This commit is contained in:
Lennart Poettering
2020-08-22 12:21:51 +02:00
parent 2bc181dae7
commit aee36b4ea2
5 changed files with 294 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/core/namespace.c
View File

@@ -942,7 +942,7 @@ static int mount_images(const MountEntry *m) {
_cleanup_(loop_device_unrefp) LoopDevice *loop_device = NULL;
_cleanup_(decrypted_image_unrefp) DecryptedImage *decrypted_image = NULL;
_cleanup_(dissected_image_unrefp) DissectedImage *dissected_image = NULL;
_cleanup_(verity_settings_done) VeritySettings verity = {};
_cleanup_(verity_settings_done) VeritySettings verity = VERITY_SETTINGS_DEFAULT;
DissectImageFlags dissect_image_flags;
int r;
@@ -1417,6 +1417,7 @@ static int verity_settings_prepare(
free_and_replace(verity->root_hash, d);
verity->root_hash_size = root_hash_size;
verity->designator = PARTITION_ROOT;
}
if (root_hash_sig) {
@@ -1428,6 +1429,7 @@ static int verity_settings_prepare(
free_and_replace(verity->root_hash_sig, d);
verity->root_hash_sig_size = root_hash_sig_size;
verity->designator = PARTITION_ROOT;
}
if (verity_data_path) {
@@ -1480,7 +1482,7 @@ int setup_namespace(
_cleanup_(loop_device_unrefp) LoopDevice *loop_device = NULL;
_cleanup_(decrypted_image_unrefp) DecryptedImage *decrypted_image = NULL;
_cleanup_(dissected_image_unrefp) DissectedImage *dissected_image = NULL;
_cleanup_(verity_settings_done) VeritySettings verity = {};
_cleanup_(verity_settings_done) VeritySettings verity = VERITY_SETTINGS_DEFAULT;
MountEntry *m = NULL, *mounts = NULL;
bool require_prefix = false;
const char *root;

2
src/dissect/dissect.c
View File

@@ -44,7 +44,7 @@ static const char *arg_path = NULL;
static const char *arg_source = NULL;
static const char *arg_target = NULL;
static DissectImageFlags arg_flags = DISSECT_IMAGE_REQUIRE_ROOT|DISSECT_IMAGE_DISCARD_ON_LOOP|DISSECT_IMAGE_RELAX_VAR_CHECK|DISSECT_IMAGE_FSCK;
static VeritySettings arg_verity_settings = {};
static VeritySettings arg_verity_settings = VERITY_SETTINGS_DEFAULT;
static bool arg_json = false;
static JsonFormatFlags arg_json_format_flags = 0;

2
src/nspawn/nspawn.c
View File

@@ -201,7 +201,7 @@ static bool arg_notify_ready = false;
static bool arg_use_cgns = true;
static unsigned long arg_clone_ns_flags = CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWUTS;
static MountSettingsMask arg_mount_settings = MOUNT_APPLY_APIVFS_RO|MOUNT_APPLY_TMPFS_TMP;
static VeritySettings arg_verity_settings = {};
static VeritySettings arg_verity_settings = VERITY_SETTINGS_DEFAULT;
static char **arg_syscall_allow_list = NULL;
static char **arg_syscall_deny_list = NULL;
#if HAVE_SECCOMP

315
src/shared/dissect-image.c
View File

File diff suppressed because it is too large Load Diff

35
src/shared/dissect-image.h
View File

@@ -31,6 +31,8 @@ struct DissectedPartition {
typedef enum PartitionDesignator {
PARTITION_ROOT,
PARTITION_ROOT_SECONDARY, /* Secondary architecture */
PARTITION_USR,
PARTITION_USR_SECONDARY,
PARTITION_HOME,
PARTITION_SRV,
PARTITION_ESP,
@@ -38,6 +40,8 @@ typedef enum PartitionDesignator {
PARTITION_SWAP,
PARTITION_ROOT_VERITY, /* verity data for the PARTITION_ROOT partition */
PARTITION_ROOT_SECONDARY_VERITY, /* verity data for the PARTITION_ROOT_SECONDARY partition */
PARTITION_USR_VERITY,
PARTITION_USR_SECONDARY_VERITY,
PARTITION_TMP,
PARTITION_VAR,
_PARTITION_DESIGNATOR_MAX,
@@ -45,11 +49,23 @@ typedef enum PartitionDesignator {
} PartitionDesignator;
static inline PartitionDesignator PARTITION_VERITY_OF(PartitionDesignator p) {
if (p == PARTITION_ROOT)
switch (p) {
case PARTITION_ROOT:
return PARTITION_ROOT_VERITY;
if (p == PARTITION_ROOT_SECONDARY)
case PARTITION_ROOT_SECONDARY:
return PARTITION_ROOT_SECONDARY_VERITY;
return _PARTITION_DESIGNATOR_INVALID;
case PARTITION_USR:
return PARTITION_USR_VERITY;
case PARTITION_USR_SECONDARY:
return PARTITION_USR_SECONDARY_VERITY;
default:
return _PARTITION_DESIGNATOR_INVALID;
}
}
typedef enum DissectImageFlags {
@@ -61,9 +77,9 @@ typedef enum DissectImageFlags {
DISSECT_IMAGE_DISCARD |
DISSECT_IMAGE_DISCARD_ON_CRYPTO,
DISSECT_IMAGE_GPT_ONLY = 1 << 4, /* Only recognize images with GPT partition tables */
DISSECT_IMAGE_REQUIRE_ROOT = 1 << 5, /* Don't accept disks without root partition */
DISSECT_IMAGE_MOUNT_ROOT_ONLY = 1 << 6, /* Mount only the root partition */
DISSECT_IMAGE_MOUNT_NON_ROOT_ONLY = 1 << 7, /* Mount only non-root partitions */
DISSECT_IMAGE_REQUIRE_ROOT = 1 << 5, /* Don't accept disks without root partition (and if no partition table or only single generic partition, assume it's root) */
DISSECT_IMAGE_MOUNT_ROOT_ONLY = 1 << 6, /* Mount only the root and /usr partitions */
DISSECT_IMAGE_MOUNT_NON_ROOT_ONLY = 1 << 7, /* Mount only the non-root and non-/usr partitions */
DISSECT_IMAGE_VALIDATE_OS = 1 << 8, /* Refuse mounting images that aren't identifiable as OS images */
DISSECT_IMAGE_NO_UDEV = 1 << 9, /* Don't wait for udev initializing things */
DISSECT_IMAGE_RELAX_VAR_CHECK = 1 << 10, /* Don't insist that the UUID of /var is hashed from /etc/machine-id */
@@ -104,8 +120,15 @@ struct VeritySettings {
/* Path to the verity data file, if stored externally */
char *data_path;
/* PARTITION_ROOT or PARTITION_USR, depending on what these Verity settings are for */
PartitionDesignator designator;
};
#define VERITY_SETTINGS_DEFAULT { \
.designator = _PARTITION_DESIGNATOR_INVALID \
}
MountOptions* mount_options_free_all(MountOptions *options);
DEFINE_TRIVIAL_CLEANUP_FUNC(MountOptions*, mount_options_free_all);
const char* mount_options_from_designator(const MountOptions *options, PartitionDesignator designator);