mountfsd: allow privileged users to mount bare unprotected filesystems

This is useful when we start to call mountfsd from root, for example from the tests where we just use a simple squashfs/erofs. Note that this requires the caller to be root, and it will be rejected otherwise, as such images are classified as 'unprotected' and the enforced policy does not accept them for unprivileged users.
2026-04-15 00:47:10 +09:00 · 2025-10-21 00:37:44 +01:00
parent 3331d99b49
commit 53d49fbf3f
2 changed files with 12 additions and 1 deletions
--- a/test/units/TEST-50-DISSECT.mountfsd.sh
+++ b/test/units/TEST-50-DISSECT.mountfsd.sh
@@ -93,6 +93,15 @@ if [ "$VERITY_SIG_SUPPORTED" -eq 1 ]; then
    mv /tmp/app0.roothash.p7s.bak /tmp/app0.roothash.p7s
 fi

+# Bare squashfs without any verity or signature also should be rejected, even if we ask to trust it
+(! systemd-run -M testuser@ --user --pipe --wait \
+    --property ExtensionImages=/tmp/app1.raw \
+    true)
+(! systemd-run -M testuser@ --user --pipe --wait \
+    --property ExtensionImages=/tmp/app1.raw \
+    --property ExtensionImagePolicy=root=verity+signed+unprotected+absent:usr=verity+signed+unprotected+absent \
+    true)
+
 # Install key in keychain
 mkdir -p /run/verity.d
 cp /tmp/test-50-unpriv-cert.crt /run/verity.d/