diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index d6ceb1490b..67eba1831a 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -225,7 +225,7 @@
esp, xbootldr, tmp,
var.
-
+
diff --git a/src/mountfsd/mountwork.c b/src/mountfsd/mountwork.c
index 141d8f62de..32c0420ad0 100644
--- a/src/mountfsd/mountwork.c
+++ b/src/mountfsd/mountwork.c
@@ -449,7 +449,9 @@ static int vl_method_mount_image(
DISSECT_IMAGE_ADD_PARTITION_DEVICES |
DISSECT_IMAGE_PIN_PARTITION_DEVICES |
(p.verity_sharing ? DISSECT_IMAGE_VERITY_SHARE : 0) |
- (p.verity_data_fd_idx != UINT_MAX ? DISSECT_IMAGE_NO_PARTITION_TABLE : 0) |
+ /* Maybe the image is a bare filesystem. Note that this requires privileges, as it is
+ * classified by the policy as an 'unprotected' image and will be refused otherwise. */
+ DISSECT_IMAGE_NO_PARTITION_TABLE |
DISSECT_IMAGE_ALLOW_USERSPACE_VERITY;
/* Let's see if we have acquired the privilege to mount untrusted images already */
diff --git a/test/units/TEST-50-DISSECT.mountfsd.sh b/test/units/TEST-50-DISSECT.mountfsd.sh
index cca502dfcb..92d497903f 100755
--- a/test/units/TEST-50-DISSECT.mountfsd.sh
+++ b/test/units/TEST-50-DISSECT.mountfsd.sh
@@ -93,6 +93,15 @@ if [ "$VERITY_SIG_SUPPORTED" -eq 1 ]; then
mv /tmp/app0.roothash.p7s.bak /tmp/app0.roothash.p7s
fi
+# Bare squashfs without any verity or signature also should be rejected, even if we ask to trust it
+(! systemd-run -M testuser@ --user --pipe --wait \
+ --property ExtensionImages=/tmp/app1.raw \
+ true)
+(! systemd-run -M testuser@ --user --pipe --wait \
+ --property ExtensionImages=/tmp/app1.raw \
+ --property ExtensionImagePolicy=root=verity+signed+unprotected+absent:usr=verity+signed+unprotected+absent \
+ true)
+
# Install key in keychain
mkdir -p /run/verity.d
cp /tmp/test-50-unpriv-cert.crt /run/verity.d/