morgan/systemd
1
0
Fork 0
mirror of https://github.com/morgan9e/systemd synced 2026-04-15 00:47:10 +09:00
Code Issues Packages Projects Releases Wiki Activity

sysext: Support global sysext/confext

Browse Source 
Load global sysext/confext from /.extra/global_{sysext,confext} which
systemd-stub puts there from ESP/loader/credentials/*.{sysext,confext}.raw.
Global extensions are handled the exact same way as per-UKI ones.
This commit is contained in:
Vitaly Kuznetsov
2025-07-07 15:03:55 +02:00
parent 9f7e3820e9
commit 8d07a8d6b1
4 changed files with 13 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/shared/discover-image.c
View File

@@ -76,20 +76,22 @@ const char* const image_search_path[_IMAGE_CLASS_MAX] = {
"/usr/lib/confexts\0",
};
/* Inside the initrd, use a slightly different set of search path (i.e. include .extra/sysext/ and
* .extra/confext/ in extension search dir) */
/* Inside the initrd, use a slightly different set of search path (i.e. include .extra/sysext/,
* /.extra/global_sysext, .extra/confext/, and /.extra/global_confext in extension search dir) */
static const char* const image_search_path_initrd[_IMAGE_CLASS_MAX] = {
/* (entries that aren't listed here will get the same search path as for the non initrd-case) */
[IMAGE_SYSEXT] = "/etc/extensions\0" /* only place symlinks here */
"/run/extensions\0" /* and here too */
"/var/lib/extensions\0" /* the main place for images */
"/.extra/sysext\0", /* put sysext picked up by systemd-stub last, since not trusted */
"/.extra/sysext\0" /* put sysext (per-UKI and global) picked up by systemd-stub */
"/.extra/global_sysext\0", /* last, since not trusted */
[IMAGE_CONFEXT] = "/run/confexts\0" /* only place symlinks here */
"/var/lib/confexts\0" /* the main place for images */
"/usr/local/lib/confexts\0"
"/.extra/confext\0", /* put confext picked up by systemd-stub last, since not trusted */
"/.extra/confext\0" /* put confext (per-UKI and global) picked up by systemd-stub */
"/.extra/global_confext\0", /* last, since not trusted. */
};
static const char* image_class_suffix_table[_IMAGE_CLASS_MAX] = {

6
src/sysext/sysext.c
View File

@@ -1660,15 +1660,19 @@ static const ImagePolicy *pick_image_policy(const Image *img) {
if (arg_image_policy)
return arg_image_policy;
/* If located in /.extra/sysext/ in the initrd, then it was placed there by systemd-stub, and was
/* If located in /.extra/ in the initrd, then it was placed there by systemd-stub, and was
* picked up from an untrusted ESP. Thus, require a stricter policy by default for them. (For the
* other directories we assume the appropriate level of trust was already established already. */
if (in_initrd()) {
if (path_startswith(img->path, "/.extra/sysext/"))
return &image_policy_sysext_strict;
if (path_startswith(img->path, "/.extra/global_sysext/"))
return &image_policy_sysext_strict;
if (path_startswith(img->path, "/.extra/confext/"))
return &image_policy_confext_strict;
if (path_startswith(img->path, "/.extra/global_confext/"))
return &image_policy_confext_strict;
/* Better safe than sorry, refuse everything else passed in via the untrusted /.extra/ dir */
if (path_startswith(img->path, "/.extra/"))

1
units/systemd-confext-initrd.service
View File

@@ -17,6 +17,7 @@ ConditionDirectoryNotEmpty=|/var/lib/confexts
ConditionDirectoryNotEmpty=|/usr/local/lib/confexts
ConditionDirectoryNotEmpty=|/usr/lib/confexts
ConditionDirectoryNotEmpty=|/.extra/confext
ConditionDirectoryNotEmpty=|/.extra/global_confext
ConditionPathExists=/etc/initrd-release
DefaultDependencies=no

1
units/systemd-sysext-initrd.service
View File

@@ -16,6 +16,7 @@ ConditionDirectoryNotEmpty=|/etc/extensions
ConditionDirectoryNotEmpty=|/run/extensions
ConditionDirectoryNotEmpty=|/var/lib/extensions
ConditionDirectoryNotEmpty=|/.extra/sysext
ConditionDirectoryNotEmpty=|/.extra/global_sysext
ConditionPathExists=/etc/initrd-release
DefaultDependencies=no