confext: make sure we pick up configuration extensions passed to us from the stub

With fixes from Maanya Goenka.
2026-03-06 15:02:31 -08:00 · 2023-11-08 19:10:44 +01:00
parent 39e0c237f1
commit d4fee8941a
6 changed files with 33 additions and 8 deletions
--- a/src/analyze/analyze-image-policy.c
+++ b/src/analyze/analyze-image-policy.c
@@ -94,6 +94,8 @@ int verb_image_policy(int argc, char *argv[], void *userdata) {
                        p = &image_policy_sysext_strict;
                else if (streq(argv[i], "@confext"))
                        p = &image_policy_confext;
+                else if (streq(argv[i], "@confext-strict"))
+                        p = &image_policy_confext_strict;
                else if (streq(argv[i], "@container"))
                        p = &image_policy_container;
                else if (streq(argv[i], "@service"))
--- a/src/shared/discover-image.c
+++ b/src/shared/discover-image.c
@@ -75,15 +75,20 @@ static const char* const image_search_path[_IMAGE_CLASS_MAX] = {
                            "/usr/lib/confexts\0",
 };

-/* Inside the initrd, use a slightly different set of search path (i.e. include .extra/sysext in extension
- * search dir) */
+/* Inside the initrd, use a slightly different set of search path (i.e. include .extra/sysext/ and
+ * .extra/confext/ in extension search dir) */
 static const char* const image_search_path_initrd[_IMAGE_CLASS_MAX] = {
        /* (entries that aren't listed here will get the same search path as for the non initrd-case) */

        [IMAGE_SYSEXT] =    "/etc/extensions\0"            /* only place symlinks here */
                            "/run/extensions\0"            /* and here too */
                            "/var/lib/extensions\0"        /* the main place for images */
-                            "/.extra/sysext\0"             /* put sysext picked up by systemd-stub last, since not trusted */
+                            "/.extra/sysext\0",            /* put sysext picked up by systemd-stub last, since not trusted */
+
+        [IMAGE_CONFEXT] =   "/run/confexts\0"              /* only place symlinks here */
+                            "/var/lib/confexts\0"          /* the main place for images */
+                            "/usr/local/lib/confexts\0"
+                            "/.extra/confext\0",           /* put confext picked up by systemd-stub last, since not trusted */
 };

 static const char* image_class_suffix_table[_IMAGE_CLASS_MAX] = {
--- a/src/shared/image-policy.c
+++ b/src/shared/image-policy.c
@@ -726,6 +726,14 @@ const ImagePolicy image_policy_confext = {
        .default_flags = PARTITION_POLICY_IGNORE,
 };

+const ImagePolicy image_policy_confext_strict = {
+        .n_policies = 1,
+        .policies = {
+                { PARTITION_ROOT,     PARTITION_POLICY_SIGNED|PARTITION_POLICY_ABSENT },
+        },
+        .default_flags = PARTITION_POLICY_IGNORE,
+};
+
 const ImagePolicy image_policy_container = {
        /* For systemd-nspawn containers we use all partitions, with the exception of swap */
        .n_policies = 8,
--- a/src/shared/image-policy.h
+++ b/src/shared/image-policy.h
@@ -58,9 +58,10 @@ struct ImagePolicy {
 extern const ImagePolicy image_policy_allow;
 extern const ImagePolicy image_policy_deny;
 extern const ImagePolicy image_policy_ignore;
-extern const ImagePolicy image_policy_sysext;        /* No verity required */
-extern const ImagePolicy image_policy_sysext_strict; /* Signed verity required */
-extern const ImagePolicy image_policy_confext;       /* No verity required */
+extern const ImagePolicy image_policy_sysext;         /* No verity required */
+extern const ImagePolicy image_policy_sysext_strict;  /* Signed verity required */
+extern const ImagePolicy image_policy_confext;        /* No verity required */
+extern const ImagePolicy image_policy_confext_strict; /* Signed verity required */
 extern const ImagePolicy image_policy_container;
 extern const ImagePolicy image_policy_service;
 extern const ImagePolicy image_policy_host;
--- a/src/sysext/sysext.c
+++ b/src/sysext/sysext.c
@@ -659,8 +659,16 @@ static const ImagePolicy *pick_image_policy(const Image *img) {
         * picked up from an untrusted ESP. Thus, require a stricter policy by default for them. (For the
         * other directories we assume the appropriate level of trust was already established already.  */

-        if (in_initrd() && path_startswith(img->path, "/.extra/sysext/"))
-                return &image_policy_sysext_strict;
+        if (in_initrd()) {
+                if (path_startswith(img->path, "/.extra/sysext/"))
+                        return &image_policy_sysext_strict;
+                if (path_startswith(img->path, "/.extra/confext/"))
+                        return &image_policy_confext_strict;
+
+                /* Better safe than sorry, refuse everything else passed in via the untrusted /.extra/ dir */
+                if (path_startswith(img->path, "/.extra/"))
+                        return &image_policy_deny;
+        }

        return image_class_info[img->class].default_image_policy;
 }
--- a/src/test/test-image-policy.c
+++ b/src/test/test-image-policy.c
@@ -79,6 +79,7 @@ TEST_RET(test_image_policy_to_string) {
        test_policy(&image_policy_sysext, "sysext");
        test_policy(&image_policy_sysext_strict, "sysext-strict");
        test_policy(&image_policy_confext, "confext");
+        test_policy(&image_policy_confext_strict, "confext-strict");
        test_policy(&image_policy_container, "container");
        test_policy(&image_policy_host, "host");
        test_policy(&image_policy_service, "service");