mountfsd: allow privileged users to mount bare unprotected filesystems (#39411)

Split from https://github.com/systemd/systemd/pull/39394 as that requires deeper rework that will take more time
2026-04-15 00:47:10 +09:00 · 2025-10-24 09:40:52 +09:00
parent f4072a9da2 e84aa21af8
commit fe5625cbba
3 changed files with 13 additions and 2 deletions
--- a/test/units/TEST-50-DISSECT.mountfsd.sh
+++ b/test/units/TEST-50-DISSECT.mountfsd.sh
@@ -93,6 +93,15 @@ if [ "$VERITY_SIG_SUPPORTED" -eq 1 ]; then
    mv /tmp/app0.roothash.p7s.bak /tmp/app0.roothash.p7s
 fi

+# Bare squashfs without any verity or signature also should be rejected, even if we ask to trust it
+(! systemd-run -M testuser@ --user --pipe --wait \
+    --property ExtensionImages=/tmp/app1.raw \
+    true)
+(! systemd-run -M testuser@ --user --pipe --wait \
+    --property ExtensionImages=/tmp/app1.raw \
+    --property ExtensionImagePolicy=root=verity+signed+unprotected+absent:usr=verity+signed+unprotected+absent \
+    true)
+
 # Install key in keychain
 mkdir -p /run/verity.d
 cp /tmp/test-50-unpriv-cert.crt /run/verity.d/