diff --git a/src/core/namespace.c b/src/core/namespace.c index fac3c05f61..2912f819e9 100644 --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -1507,6 +1507,7 @@ static int mount_image( mount_entry_path(m), m->image_options_const, image_policy, + /* image_filter= */ NULL, host_os_release_id, host_os_release_version_id, host_os_release_sysext_level, @@ -2352,6 +2353,7 @@ int setup_namespace(const NamespaceParameters *p, char **reterr_path) { p->verity, p->root_image_options, p->root_image_policy, + /* image_filter= */ NULL, dissect_image_flags, &dissected_image); if (r < 0) diff --git a/src/dissect/dissect.c b/src/dissect/dissect.c index 06d6d3935f..fda688b21e 100644 --- a/src/dissect/dissect.c +++ b/src/dissect/dissect.c @@ -2106,10 +2106,11 @@ static int action_validate(void) { r = dissect_image_file_and_warn( arg_image, &arg_verity_settings, - NULL, + /* mount_options= */ NULL, arg_image_policy, + /* image_filter= */ NULL, arg_flags, - NULL); + /* ret= */ NULL); if (r < 0) return r; @@ -2231,6 +2232,7 @@ static int run(int argc, char *argv[]) { &arg_verity_settings, /* mount_options= */ NULL, arg_image_policy, + /* image_filter= */ NULL, arg_flags, &m); if (r < 0) diff --git a/src/gpt-auto-generator/gpt-auto-generator.c b/src/gpt-auto-generator/gpt-auto-generator.c index b9b5b60da8..f1a4f9cca5 100644 --- a/src/gpt-auto-generator/gpt-auto-generator.c +++ b/src/gpt-auto-generator/gpt-auto-generator.c @@ -1103,6 +1103,7 @@ static int enumerate_partitions(dev_t devnum) { /* verity= */ NULL, /* mount_options= */ NULL, image_policy, + /* image_filter= */ NULL, DISSECT_IMAGE_GPT_ONLY| DISSECT_IMAGE_USR_NO_ROOT| DISSECT_IMAGE_DISKSEQ_DEVNODE| diff --git a/src/mountfsd/mountwork.c b/src/mountfsd/mountwork.c index adbb91d8a0..a693419eec 100644 --- a/src/mountfsd/mountwork.c +++ b/src/mountfsd/mountwork.c @@ -414,6 +414,7 @@ static int vl_method_mount_image( &verity, /* mount_options= */ NULL, use_policy, + /* image_filter= */ NULL, dissect_flags, &di); if (r == -ENOPKG) diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 32796375c5..17b0c85185 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -6370,8 +6370,9 @@ static int run(int argc, char *argv[]) { r = dissect_loop_device_and_warn( loop, &arg_verity_settings, - /* mount_options=*/ NULL, + /* mount_options= */ NULL, arg_image_policy ?: &image_policy_container, + /* image_filter= */ NULL, dissect_image_flags, &dissected_image); if (r == -ENOPKG) { diff --git a/src/portable/portable.c b/src/portable/portable.c index 84fc4fa706..a70484eb66 100644 --- a/src/portable/portable.c +++ b/src/portable/portable.c @@ -425,6 +425,7 @@ static int portable_extract_by_path( /* verity= */ NULL, /* mount_options= */ NULL, image_policy, + /* image_filter= */ NULL, flags, &m); if (r == -ENOPKG) diff --git a/src/shared/discover-image.c b/src/shared/discover-image.c index f9a1b2ffaa..721ad2d0f2 100644 --- a/src/shared/discover-image.c +++ b/src/shared/discover-image.c @@ -1726,6 +1726,7 @@ int image_read_metadata(Image *i, const ImagePolicy *image_policy) { /* verity= */ NULL, /* mount_options= */ NULL, image_policy, + /* image_filter= */ NULL, flags, &m); if (r < 0) diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c index 660a05379f..ca9b8d985b 100644 --- a/src/shared/dissect-image.c +++ b/src/shared/dissect-image.c @@ -667,6 +667,18 @@ static int compare_arch(Architecture a, Architecture b) { return 0; } +static bool image_filter_test(const ImageFilter *filter, PartitionDesignator d, const char *name) { + assert(d < _PARTITION_DESIGNATOR_MAX); + + if (d < 0) /* For unspecified designators we have no filter expression */ + return true; + + if (!filter || !filter->pattern[d]) + return true; + + return fnmatch(filter->pattern[d], strempty(name), FNM_NOESCAPE) == 0; +} + static int dissect_image( DissectedImage *m, int fd, @@ -674,6 +686,7 @@ static int dissect_image( const VeritySettings *verity, const MountOptions *mount_options, const ImagePolicy *policy, + const ImageFilter *filter, DissectImageFlags flags) { sd_id128_t root_uuid = SD_ID128_NULL, root_verity_uuid = SD_ID128_NULL; @@ -792,6 +805,9 @@ static int dissect_image( /* OK, we have found a file system, that's our root partition then. */ + if (!image_filter_test(filter, PARTITION_ROOT, /* label= */ NULL)) /* do a filter check with an empty partition label */ + return -ECOMM; + r = image_policy_may_use(policy, PARTITION_ROOT); if (r < 0) return r; @@ -1006,6 +1022,9 @@ static int dissect_image( if (streq_ptr(label, "_empty")) continue; + if (!image_filter_test(filter, type.designator, label)) + continue; + log_debug("Dissecting %s partition with label %s and UUID %s", strna(partition_designator_to_string(type.designator)), strna(label), SD_ID128_TO_UUID_STRING(id)); @@ -1162,6 +1181,9 @@ static int dissect_image( /* We don't have a designator for SD_GPT_LINUX_GENERIC so check the UUID instead. */ } else if (sd_id128_equal(type.uuid, SD_GPT_LINUX_GENERIC)) { + if (!image_filter_test(filter, PARTITION_ROOT, label)) + continue; + check_partition_flags(node, pflags, SD_GPT_FLAG_NO_AUTO | SD_GPT_FLAG_READ_ONLY | SD_GPT_FLAG_GROWFS); @@ -1307,6 +1329,9 @@ static int dissect_image( if (pflags != 0x80) /* Bootable flag */ continue; + if (!image_filter_test(filter, PARTITION_ROOT, /* label= */ NULL)) + continue; + if (generic_node) multiple_generic = true; else { @@ -1324,6 +1349,9 @@ static int dissect_image( sd_id128_t id = SD_ID128_NULL; const char *options = NULL; + if (!image_filter_test(filter, PARTITION_XBOOTLDR, /* label= */ NULL)) + continue; + r = image_policy_may_use(policy, PARTITION_XBOOTLDR); if (r < 0) return r; @@ -1570,6 +1598,7 @@ int dissect_image_file( const VeritySettings *verity, const MountOptions *mount_options, const ImagePolicy *image_policy, + const ImageFilter *image_filter, DissectImageFlags flags, DissectedImage **ret) { @@ -1602,7 +1631,7 @@ int dissect_image_file( if (r < 0) return r; - r = dissect_image(m, fd, path, verity, mount_options, image_policy, flags); + r = dissect_image(m, fd, path, verity, mount_options, image_policy, image_filter, flags); if (r < 0) return r; @@ -1672,12 +1701,13 @@ int dissect_image_file_and_warn( const VeritySettings *verity, const MountOptions *mount_options, const ImagePolicy *image_policy, + const ImageFilter *image_filter, DissectImageFlags flags, DissectedImage **ret) { return dissect_log_error( LOG_ERR, - dissect_image_file(path, verity, mount_options, image_policy, flags, ret), + dissect_image_file(path, verity, mount_options, image_policy, image_filter, flags, ret), path, verity); } @@ -3134,6 +3164,68 @@ int dissected_image_relinquish(DissectedImage *m) { return 0; } +void image_filter_done(ImageFilter *f) { + assert(f); + + FOREACH_ELEMENT(p, f->pattern) + *p = mfree(*p); +} + +ImageFilter *image_filter_free(ImageFilter *f) { + if (!f) + return NULL; + + image_filter_done(f); + return mfree(f); +} + +int image_filter_parse(const char *s, ImageFilter **ret) { + _cleanup_(image_filter_freep) ImageFilter *f = NULL; + int r; + + if (isempty(s)) { + if (ret) + *ret = NULL; + return 0; + } + + for (;;) { + _cleanup_free_ char *word = NULL; + + r = extract_first_word(&s, &word, ":", EXTRACT_UNQUOTE|EXTRACT_DONT_COALESCE_SEPARATORS); + if (r < 0) + return log_debug_errno(r, "Failed to extract word: %m"); + if (r == 0) + break; + + _cleanup_free_ char *designator = NULL, *pattern = NULL; + const char *x = word; + r = extract_many_words(&x, "=", EXTRACT_UNQUOTE|EXTRACT_DONT_COALESCE_SEPARATORS, &designator, &pattern); + if (r < 0) + return log_debug_errno(r, "Failed to extract designator: %m"); + if (r != 2 || !isempty(x)) + return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Unable to split: %m"); + + PartitionDesignator d = partition_designator_from_string(designator); + if (d < 0) + return log_debug_errno(d, "Failed to parse partition designator: %s", designator); + + if (!f) { + f = new0(ImageFilter, 1); + if (!f) + return log_oom_debug(); + } else if (f->pattern[d]) + return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Duplicate pattern for '%s', refusing.", partition_designator_to_string(d)); + + f->pattern[d] = TAKE_PTR(pattern); + } + + if (ret) + *ret = TAKE_PTR(f); + + return 0; +} + static char *build_auxiliary_path(const char *image, const char *suffix) { const char *e; char *n; @@ -3940,6 +4032,7 @@ int dissect_loop_device( const VeritySettings *verity, const MountOptions *mount_options, const ImagePolicy *image_policy, + const ImageFilter *image_filter, DissectImageFlags flags, DissectedImage **ret) { @@ -3957,7 +4050,15 @@ int dissect_loop_device( m->image_size = m->loop->device_size; m->sector_size = m->loop->sector_size; - r = dissect_image(m, loop->fd, loop->node, verity, mount_options, image_policy, flags); + r = dissect_image( + m, + loop->fd, + loop->node, + verity, + mount_options, + image_policy, + image_filter, + flags); if (r < 0) return r; @@ -3975,6 +4076,7 @@ int dissect_loop_device_and_warn( const VeritySettings *verity, const MountOptions *mount_options, const ImagePolicy *image_policy, + const ImageFilter *image_filter, DissectImageFlags flags, DissectedImage **ret) { @@ -3982,7 +4084,7 @@ int dissect_loop_device_and_warn( return dissect_log_error( LOG_ERR, - dissect_loop_device(loop, verity, mount_options, image_policy, flags, ret), + dissect_loop_device(loop, verity, mount_options, image_policy, image_filter, flags, ret), loop->backing_file ?: loop->node, verity); } @@ -4101,6 +4203,7 @@ int mount_image_privately_interactively( &verity, /* mount_options= */ NULL, image_policy, + /* image_filter= */ NULL, flags, &dissected_image); if (r < 0) @@ -4182,6 +4285,7 @@ int verity_dissect_and_mount( const char *dest, const MountOptions *options, const ImagePolicy *image_policy, + const ImageFilter *image_filter, const char *required_host_os_release_id, const char *required_host_os_release_version_id, const char *required_host_os_release_sysext_level, @@ -4239,6 +4343,7 @@ int verity_dissect_and_mount( verity, options, image_policy, + image_filter, dissect_image_flags, &dissected_image); /* No partition table? Might be a single-filesystem image, try again */ @@ -4248,6 +4353,7 @@ int verity_dissect_and_mount( verity, options, image_policy, + image_filter, dissect_image_flags | DISSECT_IMAGE_NO_PARTITION_TABLE, &dissected_image); if (r < 0) diff --git a/src/shared/dissect-image.h b/src/shared/dissect-image.h index 8725ff9921..3d919a65e0 100644 --- a/src/shared/dissect-image.h +++ b/src/shared/dissect-image.h @@ -19,6 +19,7 @@ typedef struct DissectedPartition DissectedPartition; typedef struct DecryptedImage DecryptedImage; typedef struct MountOptions MountOptions; typedef struct VeritySettings VeritySettings; +typedef struct ImageFilter ImageFilter; struct DissectedPartition { bool found:1; @@ -148,6 +149,11 @@ struct VeritySettings { .designator = _PARTITION_DESIGNATOR_INVALID \ } +struct ImageFilter { + /* A per designator glob matching against the partition label */ + char *pattern[_PARTITION_DESIGNATOR_MAX]; +}; + /* We include image-policy.h down here, since ImagePolicy wants a complete definition of PartitionDesignator first. */ #include "image-policy.h" @@ -161,10 +167,10 @@ static inline int probe_filesystem(const char *path, char **ret_fstype) { } int dissect_log_error(int log_level, int r, const char *name, const VeritySettings *verity); -int dissect_image_file(const char *path, const VeritySettings *verity, const MountOptions *mount_options, const ImagePolicy *image_policy, DissectImageFlags flags, DissectedImage **ret); -int dissect_image_file_and_warn(const char *path, const VeritySettings *verity, const MountOptions *mount_options, const ImagePolicy *image_policy, DissectImageFlags flags, DissectedImage **ret); -int dissect_loop_device(LoopDevice *loop, const VeritySettings *verity, const MountOptions *mount_options, const ImagePolicy *image_policy, DissectImageFlags flags, DissectedImage **ret); -int dissect_loop_device_and_warn(LoopDevice *loop, const VeritySettings *verity, const MountOptions *mount_options, const ImagePolicy *image_policy, DissectImageFlags flags, DissectedImage **ret); +int dissect_image_file(const char *path, const VeritySettings *verity, const MountOptions *mount_options, const ImagePolicy *image_policy, const ImageFilter *filter, DissectImageFlags flags, DissectedImage **ret); +int dissect_image_file_and_warn(const char *path, const VeritySettings *verity, const MountOptions *mount_options, const ImagePolicy *image_policy, const ImageFilter *filter, DissectImageFlags flags, DissectedImage **ret); +int dissect_loop_device(LoopDevice *loop, const VeritySettings *verity, const MountOptions *mount_options, const ImagePolicy *image_policy, const ImageFilter *filter, DissectImageFlags flags, DissectedImage **ret); +int dissect_loop_device_and_warn(LoopDevice *loop, const VeritySettings *verity, const MountOptions *mount_options, const ImagePolicy *image_policy, const ImageFilter *filter, DissectImageFlags flags, DissectedImage **ret); void dissected_image_close(DissectedImage *m); DissectedImage* dissected_image_unref(DissectedImage *m); @@ -201,6 +207,11 @@ DEFINE_TRIVIAL_CLEANUP_FUNC(DecryptedImage*, decrypted_image_unref); int dissected_image_relinquish(DissectedImage *m); +void image_filter_done(ImageFilter *f); +ImageFilter *image_filter_free(ImageFilter *f); +DEFINE_TRIVIAL_CLEANUP_FUNC(ImageFilter*, image_filter_free); +int image_filter_parse(const char *s, ImageFilter **ret); + int verity_settings_load(VeritySettings *verity, const char *image, const char *root_hash_path, const char *root_hash_sig_path); static inline bool verity_settings_set(const VeritySettings *settings) { @@ -237,7 +248,7 @@ bool dissected_image_verity_sig_ready(const DissectedImage *image, PartitionDesi int mount_image_privately_interactively(const char *path, const ImagePolicy *image_policy, DissectImageFlags flags, char **ret_directory, int *ret_dir_fd, LoopDevice **ret_loop_device); -int verity_dissect_and_mount(int src_fd, const char *src, const char *dest, const MountOptions *options, const ImagePolicy *image_policy, const char *required_host_os_release_id, const char *required_host_os_release_version_id, const char *required_host_os_release_sysext_level, const char *required_host_os_release_confext_level, const char *required_sysext_scope, VeritySettings *verity, DissectedImage **ret_image); +int verity_dissect_and_mount(int src_fd, const char *src, const char *dest, const MountOptions *options, const ImagePolicy *image_policy, const ImageFilter *image_filter, const char *required_host_os_release_id, const char *required_host_os_release_version_id, const char *required_host_os_release_sysext_level, const char *required_host_os_release_confext_level, const char *required_sysext_scope, VeritySettings *verity, DissectedImage **ret_image); int dissect_fstype_ok(const char *fstype); diff --git a/src/shared/mount-util.c b/src/shared/mount-util.c index d7471bc78d..c92e779a87 100644 --- a/src/shared/mount-util.c +++ b/src/shared/mount-util.c @@ -969,6 +969,7 @@ static int mount_in_namespace_legacy( mount_tmp, options, image_policy, + /* image_filter= */ NULL, /* required_host_os_release_id= */ NULL, /* required_host_os_release_version_id= */ NULL, /* required_host_os_release_sysext_level= */ NULL, @@ -1193,6 +1194,7 @@ static int mount_in_namespace( /* dest= */ NULL, options, image_policy, + /* image_filter= */ NULL, /* required_host_os_release_id= */ NULL, /* required_host_os_release_version_id= */ NULL, /* required_host_os_release_sysext_level= */ NULL, diff --git a/src/sysext/sysext.c b/src/sysext/sysext.c index d2bb992d14..201787b251 100644 --- a/src/sysext/sysext.c +++ b/src/sysext/sysext.c @@ -1802,6 +1802,7 @@ static int merge_subprocess( &verity_settings, /* mount_options= */ NULL, pick_image_policy(img), + /* image_filter= */ NULL, flags, &m); if (r < 0) diff --git a/src/test/meson.build b/src/test/meson.build index 4ef296a41a..424e4f5563 100644 --- a/src/test/meson.build +++ b/src/test/meson.build @@ -105,6 +105,7 @@ simple_tests += files( 'test-hostname-setup.c', 'test-hostname-util.c', 'test-id128.c', + 'test-image-filter.c', 'test-image-policy.c', 'test-import-util.c', 'test-in-addr-prefix-util.c', diff --git a/src/test/test-image-filter.c b/src/test/test-image-filter.c new file mode 100644 index 0000000000..d5d157727d --- /dev/null +++ b/src/test/test-image-filter.c @@ -0,0 +1,39 @@ +/* SPDX-License-Identifier: LGPL-2.1-or-later */ + +#include "dissect-image.h" +#include "tests.h" + +TEST(image_filter) { + _cleanup_(image_filter_freep) ImageFilter *f = NULL; + + ASSERT_OK(image_filter_parse(NULL, &f)); + ASSERT_NULL(f); + ASSERT_OK(image_filter_parse("", &f)); + ASSERT_NULL(f); + + ASSERT_OK(image_filter_parse("root=*", &f)); + ASSERT_NOT_NULL(f); + ASSERT_STREQ(f->pattern[PARTITION_ROOT], "*"); + f = image_filter_free(f); + + ASSERT_OK(image_filter_parse("usr=foox?:root=kn*arz", &f)); + ASSERT_NOT_NULL(f); + ASSERT_STREQ(f->pattern[PARTITION_ROOT], "kn*arz"); + ASSERT_STREQ(f->pattern[PARTITION_USR], "foox?"); + f = image_filter_free(f); + + ASSERT_OK(image_filter_parse("usr=foox?:root=kn*arz:home=wumpi", &f)); + ASSERT_NOT_NULL(f); + ASSERT_STREQ(f->pattern[PARTITION_ROOT], "kn*arz"); + ASSERT_STREQ(f->pattern[PARTITION_USR], "foox?"); + ASSERT_STREQ(f->pattern[PARTITION_HOME], "wumpi"); + f = image_filter_free(f); + + ASSERT_ERROR(image_filter_parse("usr=foox?:root=kn*arz:home=wumpi:schlumpf=smurf", &f), EINVAL); + ASSERT_ERROR(image_filter_parse(":", &f), EINVAL); + ASSERT_ERROR(image_filter_parse("::", &f), EINVAL); + ASSERT_ERROR(image_filter_parse("-", &f), EINVAL); + ASSERT_ERROR(image_filter_parse("root=knuff:root=knuff", &f), EINVAL); +} + +DEFINE_TEST_MAIN(LOG_INFO); diff --git a/src/test/test-loop-block.c b/src/test/test-loop-block.c index c18582795b..c2addc5924 100644 --- a/src/test/test-loop-block.c +++ b/src/test/test-loop-block.c @@ -81,7 +81,14 @@ static void* thread_func(void *ptr) { log_notice("Acquired loop device %s, will mount on %s", loop->node, mounted); - r = dissect_loop_device(loop, NULL, NULL, NULL, DISSECT_IMAGE_READ_ONLY|DISSECT_IMAGE_ADD_PARTITION_DEVICES|DISSECT_IMAGE_PIN_PARTITION_DEVICES, &dissected); + r = dissect_loop_device( + loop, + /* verity= */ NULL, + /* mount_options= */ NULL, + /* image_policy= */ NULL, + /* image_filter= */ NULL, + DISSECT_IMAGE_READ_ONLY|DISSECT_IMAGE_ADD_PARTITION_DEVICES|DISSECT_IMAGE_PIN_PARTITION_DEVICES, + &dissected); if (r < 0) log_error_errno(r, "Failed dissect loopback device %s: %m", loop->node); assert_se(r >= 0); @@ -218,7 +225,14 @@ static int run(int argc, char *argv[]) { sfdisk = NULL; #if HAVE_BLKID - assert_se(dissect_image_file(p, NULL, NULL, NULL, 0, &dissected) >= 0); + assert_se(dissect_image_file( + p, + /* verity= */ NULL, + /* mount_options= */ NULL, + /* image_policy= */ NULL, + /* image_filter= */ NULL, + /* flags= */ 0, + &dissected) >= 0); verify_dissected_image(dissected); dissected = dissected_image_unref(dissected); #endif @@ -232,7 +246,14 @@ static int run(int argc, char *argv[]) { assert_se(loop_device_make(fd, O_RDWR, 0, UINT64_MAX, 0, LO_FLAGS_PARTSCAN, LOCK_EX, &loop) >= 0); #if HAVE_BLKID - assert_se(dissect_loop_device(loop, NULL, NULL, NULL, DISSECT_IMAGE_ADD_PARTITION_DEVICES|DISSECT_IMAGE_PIN_PARTITION_DEVICES, &dissected) >= 0); + assert_se(dissect_loop_device( + loop, + /* verity= */ NULL, + /* mount_options= */ NULL, + /* image_policy= */ NULL, + /* image_filter= */ NULL, + DISSECT_IMAGE_ADD_PARTITION_DEVICES|DISSECT_IMAGE_PIN_PARTITION_DEVICES, + &dissected) >= 0); verify_dissected_image(dissected); FOREACH_STRING(fs, "vfat", "ext4") { @@ -268,12 +289,26 @@ static int run(int argc, char *argv[]) { /* Try to read once, without pinning or adding partitions, i.e. by only accessing the whole block * device. */ - assert_se(dissect_loop_device(loop, NULL, NULL, NULL, 0, &dissected) >= 0); + assert_se(dissect_loop_device( + loop, + /* verity= */ NULL, + /* mount_options= */ NULL, + /* image_policy= */ NULL, + /* image_filter= */ NULL, + /* flags= */ 0, + &dissected) >= 0); verify_dissected_image_harder(dissected); dissected = dissected_image_unref(dissected); /* Now go via the loopback device after all, but this time add/pin, because now we want to mount it. */ - assert_se(dissect_loop_device(loop, NULL, NULL, NULL, DISSECT_IMAGE_ADD_PARTITION_DEVICES|DISSECT_IMAGE_PIN_PARTITION_DEVICES, &dissected) >= 0); + assert_se(dissect_loop_device( + loop, + /* verity= */ NULL, + /* mount_options= */ NULL, + /* image_policy= */ NULL, + /* image_filter= */ NULL, + DISSECT_IMAGE_ADD_PARTITION_DEVICES|DISSECT_IMAGE_PIN_PARTITION_DEVICES, + &dissected) >= 0); verify_dissected_image_harder(dissected); assert_se(mkdtemp_malloc(NULL, &mounted) >= 0); diff --git a/src/udev/udev-builtin-dissect_image.c b/src/udev/udev-builtin-dissect_image.c index 3a598952ac..f4acd41409 100644 --- a/src/udev/udev-builtin-dissect_image.c +++ b/src/udev/udev-builtin-dissect_image.c @@ -121,6 +121,7 @@ static int verb_probe(UdevEvent *event, sd_device *dev) { &arg_verity_settings, /* mount_options= */ NULL, image_policy, + /* image_filter= */ NULL, DISSECT_IMAGE_READ_ONLY| DISSECT_IMAGE_GPT_ONLY| DISSECT_IMAGE_USR_NO_ROOT| @@ -167,6 +168,7 @@ static int verb_probe(UdevEvent *event, sd_device *dev) { &arg_verity_settings, /* mount_options= */ NULL, image_policy_mangled, + /* image_filter= */ NULL, DISSECT_IMAGE_READ_ONLY| DISSECT_IMAGE_GPT_ONLY| DISSECT_IMAGE_USR_NO_ROOT| diff --git a/src/vmspawn/vmspawn.c b/src/vmspawn/vmspawn.c index 4629cf0e79..cbf7badbfe 100644 --- a/src/vmspawn/vmspawn.c +++ b/src/vmspawn/vmspawn.c @@ -1194,6 +1194,7 @@ static int discover_root(char **ret) { /* verity= */ NULL, /* mount_options= */ NULL, /* image_policy= */ NULL, + /* image_filter= */ NULL, /* flags= */ 0, &image); if (r < 0)