summaryrefslogtreecommitdiffstats
path: root/src/sysext
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2023-11-08 19:10:44 +0100
committerLennart Poettering <lennart@poettering.net>2024-01-03 11:23:27 +0100
commitd4fee8941af312ea70306dd2742aece9da9028db (patch)
tree01e124fa9966881621e2efec033397ece4406e2a /src/sysext
parentstub: pick up confexts from the ESP as well (diff)
downloadsystemd-d4fee8941af312ea70306dd2742aece9da9028db.tar.xz
systemd-d4fee8941af312ea70306dd2742aece9da9028db.zip
confext: make sure we pick up configuration extensions passed to us from the stub
With fixes from Maanya Goenka.
Diffstat (limited to 'src/sysext')
-rw-r--r--src/sysext/sysext.c12
1 files changed, 10 insertions, 2 deletions
diff --git a/src/sysext/sysext.c b/src/sysext/sysext.c
index fe11fe0f07..fc79370781 100644
--- a/src/sysext/sysext.c
+++ b/src/sysext/sysext.c
@@ -659,8 +659,16 @@ static const ImagePolicy *pick_image_policy(const Image *img) {
* picked up from an untrusted ESP. Thus, require a stricter policy by default for them. (For the
* other directories we assume the appropriate level of trust was already established already. */
- if (in_initrd() && path_startswith(img->path, "/.extra/sysext/"))
- return &image_policy_sysext_strict;
+ if (in_initrd()) {
+ if (path_startswith(img->path, "/.extra/sysext/"))
+ return &image_policy_sysext_strict;
+ if (path_startswith(img->path, "/.extra/confext/"))
+ return &image_policy_confext_strict;
+
+ /* Better safe than sorry, refuse everything else passed in via the untrusted /.extra/ dir */
+ if (path_startswith(img->path, "/.extra/"))
+ return &image_policy_deny;
+ }
return image_class_info[img->class].default_image_policy;
}
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-01 20:20:30 +0100