diff options
| author | Lennart Poettering <lennart@poettering.net> | 2023-04-26 21:51:53 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2024-04-06 16:08:23 +0200 |
| commit | 2251e4ef900adff02dcc1a645d90ec66d20bda19 (patch) | |
| tree | 3e3557df0b8f1c90fa0a1c416ba510add3173153 /src/shared/image-policy.h | |
| parent | varlink: add varlink_peek_dup_fd() helper (diff) | |
| download | systemd-2251e4ef900adff02dcc1a645d90ec66d20bda19.tar.xz systemd-2251e4ef900adff02dcc1a645d90ec66d20bda19.zip | |
image-policy: add a new image_policy_intersect() call
This new call takes two image policy objects and generates an
"intersection" policy, i.e. only allows what is allowed by both. Or in
other words it conceptually implements a binary AND of the policy flags.
(Except that it's a bit harder, due to normalization, and underspecified
flags).
We can use this later for mountfsd: a client can specify a policy, and
mountfsd can specify another policy, and we'll then apply only what both
allow.
Note that a policy generated like this might be invalid. For example, if
one policy says root must exist and be verity or luks protected, and the
other policy says root must be absent, then the intersection is invalid,
since one policy only allows what the other prohibits and vice versa.
We'll return a clear error code in that case (ENAVAIL). (This is because
we simply don't allow encoding such impossible policies in an
ImagePolicy structure, for good reasons.)
Diffstat (limited to 'src/shared/image-policy.h')
| -rw-r--r-- | src/shared/image-policy.h | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/shared/image-policy.h b/src/shared/image-policy.h index c2a0a5ac40..a1a6afa345 100644 --- a/src/shared/image-policy.h +++ b/src/shared/image-policy.h @@ -80,6 +80,7 @@ static inline size_t image_policy_n_entries(const ImagePolicy *policy) { } PartitionPolicyFlags partition_policy_flags_extend(PartitionPolicyFlags flags); +PartitionPolicyFlags partition_policy_flags_reduce(PartitionPolicyFlags flags); PartitionPolicyFlags partition_policy_flags_from_string(const char *s); int partition_policy_flags_to_string(PartitionPolicyFlags flags, bool simplify, char **ret); @@ -95,6 +96,8 @@ bool image_policy_equiv_deny(const ImagePolicy *policy); bool image_policy_equal(const ImagePolicy *a, const ImagePolicy *b); /* checks if defined the same way, i.e. has literally the same ruleset */ int image_policy_equivalent(const ImagePolicy *a, const ImagePolicy *b); /* checks if the outcome is the same, i.e. for all partitions results in the same decisions. */ +int image_policy_intersect(const ImagePolicy *a, const ImagePolicy *b, ImagePolicy **ret); + static inline ImagePolicy* image_policy_free(ImagePolicy *p) { return mfree(p); } |