mountfsd: allow privileged users to mount bare unprotected filesystems

This is useful when we start to call mountfsd from root, for example
from the tests where we just use a simple squashfs/erofs.
Note that this requires the caller to be root, and it will be rejected
otherwise, as such images are classified as 'unprotected' and the
enforced policy does not accept them for unprivileged users.

src/mountfsd/mountwork.c

@@ -449,7 +449,9 @@ static int vl_method_mount_image(
                 DISSECT_IMAGE_ADD_PARTITION_DEVICES |
                 DISSECT_IMAGE_PIN_PARTITION_DEVICES |
                 (p.verity_sharing ? DISSECT_IMAGE_VERITY_SHARE : 0) |
-                (p.verity_data_fd_idx != UINT_MAX ? DISSECT_IMAGE_NO_PARTITION_TABLE : 0) |
+                /* Maybe the image is a bare filesystem. Note that this requires privileges, as it is
+                 * classified by the policy as an 'unprotected' image and will be refused otherwise. */
+                DISSECT_IMAGE_NO_PARTITION_TABLE |
                 DISSECT_IMAGE_ALLOW_USERSPACE_VERITY;
 
         /* Let's see if we have acquired the privilege to mount untrusted images already */

test/units/TEST-50-DISSECT.mountfsd.sh

@@ -93,6 +93,15 @@ if [ "$VERITY_SIG_SUPPORTED" -eq 1 ]; then
     mv /tmp/app0.roothash.p7s.bak /tmp/app0.roothash.p7s
 fi
 
+# Bare squashfs without any verity or signature also should be rejected, even if we ask to trust it
+(! systemd-run -M testuser@ --user --pipe --wait \
+    --property ExtensionImages=/tmp/app1.raw \
+    true)
+(! systemd-run -M testuser@ --user --pipe --wait \
+    --property ExtensionImages=/tmp/app1.raw \
+    --property ExtensionImagePolicy=root=verity+signed+unprotected+absent:usr=verity+signed+unprotected+absent \
+    true)
+
 # Install key in keychain
 mkdir -p /run/verity.d
 cp /tmp/test-50-unpriv-cert.crt /run/verity.d/