diff options
| -rw-r--r-- | src/core/namespace.c | 8 | ||||
| -rwxr-xr-x | test/units/TEST-50-DISSECT.dissect.sh | 9 | ||||
| -rwxr-xr-x | test/units/util.sh | 2 |
3 files changed, 19 insertions, 0 deletions
diff --git a/src/core/namespace.c b/src/core/namespace.c index 2f3b8f03d1..c9362e55ab 100644 --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -480,20 +480,28 @@ static int append_bind_mounts(MountList *ml, const BindMount *binds, size_t n) { } static int append_mount_images(MountList *ml, const MountImage *mount_images, size_t n) { + int r; + assert(ml); assert(mount_images || n == 0); FOREACH_ARRAY(m, mount_images, n) { + _cleanup_(verity_settings_done) VeritySettings verity = VERITY_SETTINGS_DEFAULT; MountEntry *me = mount_list_extend(ml); if (!me) return log_oom_debug(); + r = verity_settings_load(&verity, m->source, /* root_hash_path= */ NULL, /* root_hash_sig_path= */ NULL); + if (r < 0) + return log_debug_errno(r, "Failed to check verity root hash of %s: %m", m->source); + *me = (MountEntry) { .path_const = m->destination, .mode = MOUNT_IMAGE, .source_const = m->source, .image_options_const = m->mount_options, .ignore = m->ignore_enoent, + .verity = TAKE_GENERIC(verity, VeritySettings, VERITY_SETTINGS_DEFAULT), }; } diff --git a/test/units/TEST-50-DISSECT.dissect.sh b/test/units/TEST-50-DISSECT.dissect.sh index 6cf1213551..f2b4db5133 100755 --- a/test/units/TEST-50-DISSECT.dissect.sh +++ b/test/units/TEST-50-DISSECT.dissect.sh @@ -281,6 +281,9 @@ systemd-run -P \ -p RootHash="$MINIMAL_IMAGE_ROOTHASH" \ -p MountImages="$MINIMAL_IMAGE.gpt:/run/img1 $MINIMAL_IMAGE.raw:/run/img2" \ cat /run/img2/usr/lib/os-release | grep -q -F "MARKER=1" +systemd-run -P \ + -p MountImages="$MINIMAL_IMAGE.raw:/run/img2" \ + veritysetup status "${MINIMAL_IMAGE_ROOTHASH}-verity" | grep -q "${MINIMAL_IMAGE_ROOTHASH}" cat >/run/systemd/system/testservice-50c.service <<EOF [Service] MountAPIVFS=yes @@ -362,6 +365,12 @@ systemd-run -P \ --property ExtensionImages=/etc/service-scoped-test.raw \ --property RootImage="$MINIMAL_IMAGE.raw" \ cat /etc/systemd/system/some_file | grep -q -F "MARKER_CONFEXT_123" +systemd-run -P \ + --property ExtensionImages="/tmp/app0.raw /tmp/conf0.raw" \ + veritysetup status "$(cat /tmp/app0.roothash)-verity" | grep -q "$(cat /tmp/app0.roothash)" +systemd-run -P \ + --property ExtensionImages="/tmp/app0.raw /tmp/conf0.raw" \ + veritysetup status "$(cat /tmp/conf0.roothash)-verity" | grep -q "$(cat /tmp/conf0.roothash)" # Check that two identical verity images at different paths do not fail with -ELOOP from OverlayFS mkdir -p /tmp/loop diff --git a/test/units/util.sh b/test/units/util.sh index 7a39d4267e..1f903b3293 100755 --- a/test/units/util.sh +++ b/test/units/util.sh @@ -284,6 +284,7 @@ EOF chmod +x "$initdir/opt/script0.sh" echo MARKER=1 >"$initdir/usr/lib/systemd/system/some_file" mksquashfs "$initdir" /tmp/app0.raw -noappend + veritysetup format /tmp/app0.raw /tmp/app0.verity --root-hash-file /tmp/app0.roothash initdir="/var/tmp/conf0" mkdir -p "$initdir/etc/extension-release.d" "$initdir/etc/systemd/system" "$initdir/opt" @@ -295,6 +296,7 @@ EOF ) >>"$initdir/etc/extension-release.d/extension-release.conf0" echo MARKER_1 >"$initdir/etc/systemd/system/some_file" mksquashfs "$initdir" /tmp/conf0.raw -noappend + veritysetup format /tmp/conf0.raw /tmp/conf0.verity --root-hash-file /tmp/conf0.roothash initdir="/var/tmp/app1" mkdir -p "$initdir/usr/lib/extension-release.d" "$initdir/usr/lib/systemd/system" "$initdir/opt" |