mountfsd: allow privileged users to mount bare unprotected filesystems (#39411)

Split from https://github.com/systemd/systemd/pull/39394 as that requires deeper rework that will take more time
2026-04-15 00:47:10 +09:00 · 2025-10-24 09:40:52 +09:00
parent f4072a9da2 e84aa21af8
commit fe5625cbba
3 changed files with 13 additions and 2 deletions
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -225,7 +225,7 @@
        <constant>esp</constant>, <constant>xbootldr</constant>, <constant>tmp</constant>,
        <constant>var</constant>.</para>

-        <xi:include href="system-or-user-ns-mountfsd.xml" xpointer="singular"/>
+        <xi:include href="system-only.xml" xpointer="singular"/>

        <xi:include href="version-info.xml" xpointer="v247"/></listitem>
      </varlistentry>
--- a/src/mountfsd/mountwork.c
+++ b/src/mountfsd/mountwork.c
@@ -449,7 +449,9 @@ static int vl_method_mount_image(
                DISSECT_IMAGE_ADD_PARTITION_DEVICES |
                DISSECT_IMAGE_PIN_PARTITION_DEVICES |
                (p.verity_sharing ? DISSECT_IMAGE_VERITY_SHARE : 0) |
-                (p.verity_data_fd_idx != UINT_MAX ? DISSECT_IMAGE_NO_PARTITION_TABLE : 0) |
+                /* Maybe the image is a bare filesystem. Note that this requires privileges, as it is
+                 * classified by the policy as an 'unprotected' image and will be refused otherwise. */
+                DISSECT_IMAGE_NO_PARTITION_TABLE |
                DISSECT_IMAGE_ALLOW_USERSPACE_VERITY;

        /* Let's see if we have acquired the privilege to mount untrusted images already */
--- a/test/units/TEST-50-DISSECT.mountfsd.sh
+++ b/test/units/TEST-50-DISSECT.mountfsd.sh
@@ -93,6 +93,15 @@ if [ "$VERITY_SIG_SUPPORTED" -eq 1 ]; then
    mv /tmp/app0.roothash.p7s.bak /tmp/app0.roothash.p7s
 fi

+# Bare squashfs without any verity or signature also should be rejected, even if we ask to trust it
+(! systemd-run -M testuser@ --user --pipe --wait \
+    --property ExtensionImages=/tmp/app1.raw \
+    true)
+(! systemd-run -M testuser@ --user --pipe --wait \
+    --property ExtensionImages=/tmp/app1.raw \
+    --property ExtensionImagePolicy=root=verity+signed+unprotected+absent:usr=verity+signed+unprotected+absent \
+    true)
+
 # Install key in keychain
 mkdir -p /run/verity.d
 cp /tmp/test-50-unpriv-cert.crt /run/verity.d/