summaryrefslogtreecommitdiffstats
path: root/src/shared
diff options
context:
space:
mode:
Diffstat (limited to 'src/shared')
-rw-r--r--src/shared/condition.c4
-rw-r--r--src/shared/creds-util.c4
-rw-r--r--src/shared/discover-image.c33
-rw-r--r--src/shared/dissect-image.c51
-rw-r--r--src/shared/dissect-image.h1
-rw-r--r--src/shared/efi-loader.c2
-rw-r--r--src/shared/mount-util.c4
-rw-r--r--src/shared/netif-naming-scheme.c2
-rw-r--r--src/shared/pager.c2
-rw-r--r--src/shared/seccomp-util.c2
10 files changed, 74 insertions, 31 deletions
diff --git a/src/shared/condition.c b/src/shared/condition.c
index 385ceee332..b7d2248b94 100644
--- a/src/shared/condition.c
+++ b/src/shared/condition.c
@@ -751,9 +751,9 @@ static int condition_test_needs_update(Condition *c, char **env) {
assert(c->parameter);
assert(c->type == CONDITION_NEEDS_UPDATE);
- r = proc_cmdline_get_bool("systemd.condition-needs-update", /* flags = */ 0, &b);
+ r = proc_cmdline_get_bool("systemd.condition_needs_update", /* flags = */ 0, &b);
if (r < 0)
- log_debug_errno(r, "Failed to parse systemd.condition-needs-update= kernel command line argument, ignoring: %m");
+ log_debug_errno(r, "Failed to parse systemd.condition_needs_update= kernel command line argument, ignoring: %m");
if (r > 0)
return b;
diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c
index a495f82b87..2d5846a06f 100644
--- a/src/shared/creds-util.c
+++ b/src/shared/creds-util.c
@@ -1489,7 +1489,7 @@ int decrypt_credential_and_warn(
if (validate_name && !streq(embedded_name, validate_name)) {
- r = getenv_bool_secure("SYSTEMD_CREDENTIAL_VALIDATE_NAME");
+ r = secure_getenv_bool("SYSTEMD_CREDENTIAL_VALIDATE_NAME");
if (r < 0 && r != -ENXIO)
log_debug_errno(r, "Failed to parse $SYSTEMD_CREDENTIAL_VALIDATE_NAME: %m");
if (r != 0)
@@ -1505,7 +1505,7 @@ int decrypt_credential_and_warn(
if (le64toh(m->not_after) != USEC_INFINITY && le64toh(m->not_after) < validate_timestamp) {
- r = getenv_bool_secure("SYSTEMD_CREDENTIAL_VALIDATE_NOT_AFTER");
+ r = secure_getenv_bool("SYSTEMD_CREDENTIAL_VALIDATE_NOT_AFTER");
if (r < 0 && r != -ENXIO)
log_debug_errno(r, "Failed to parse $SYSTEMD_CREDENTIAL_VALIDATE_NOT_AFTER: %m");
if (r != 0)
diff --git a/src/shared/discover-image.c b/src/shared/discover-image.c
index 6d4f7612ca..72f20c8eb7 100644
--- a/src/shared/discover-image.c
+++ b/src/shared/discover-image.c
@@ -1471,8 +1471,25 @@ int image_read_metadata(Image *i, const ImagePolicy *image_policy) {
case IMAGE_BLOCK: {
_cleanup_(loop_device_unrefp) LoopDevice *d = NULL;
_cleanup_(dissected_image_unrefp) DissectedImage *m = NULL;
-
- r = loop_device_make_by_path(i->path, O_RDONLY, /* sector_size= */ UINT32_MAX, LO_FLAGS_PARTSCAN, LOCK_SH, &d);
+ DissectImageFlags flags =
+ DISSECT_IMAGE_GENERIC_ROOT |
+ DISSECT_IMAGE_REQUIRE_ROOT |
+ DISSECT_IMAGE_RELAX_VAR_CHECK |
+ DISSECT_IMAGE_READ_ONLY |
+ DISSECT_IMAGE_USR_NO_ROOT |
+ DISSECT_IMAGE_ADD_PARTITION_DEVICES |
+ DISSECT_IMAGE_PIN_PARTITION_DEVICES |
+ DISSECT_IMAGE_VALIDATE_OS |
+ DISSECT_IMAGE_VALIDATE_OS_EXT |
+ DISSECT_IMAGE_ALLOW_USERSPACE_VERITY;
+
+ r = loop_device_make_by_path(
+ i->path,
+ O_RDONLY,
+ /* sector_size= */ UINT32_MAX,
+ LO_FLAGS_PARTSCAN,
+ LOCK_SH,
+ &d);
if (r < 0)
return r;
@@ -1481,20 +1498,12 @@ int image_read_metadata(Image *i, const ImagePolicy *image_policy) {
/* verity= */ NULL,
/* mount_options= */ NULL,
image_policy,
- DISSECT_IMAGE_GENERIC_ROOT |
- DISSECT_IMAGE_REQUIRE_ROOT |
- DISSECT_IMAGE_RELAX_VAR_CHECK |
- DISSECT_IMAGE_READ_ONLY |
- DISSECT_IMAGE_USR_NO_ROOT |
- DISSECT_IMAGE_ADD_PARTITION_DEVICES |
- DISSECT_IMAGE_PIN_PARTITION_DEVICES,
+ flags,
&m);
if (r < 0)
return r;
- r = dissected_image_acquire_metadata(m,
- DISSECT_IMAGE_VALIDATE_OS |
- DISSECT_IMAGE_VALIDATE_OS_EXT);
+ r = dissected_image_acquire_metadata(m, flags);
if (r < 0)
return r;
diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c
index 216c036a31..eac3641abd 100644
--- a/src/shared/dissect-image.c
+++ b/src/shared/dissect-image.c
@@ -60,6 +60,7 @@
#include "openssl-util.h"
#include "os-util.h"
#include "path-util.h"
+#include "proc-cmdline.h"
#include "process-util.h"
#include "raw-clone.h"
#include "resize-fs.h"
@@ -2537,7 +2538,35 @@ static char* dm_deferred_remove_clean(char *name) {
}
DEFINE_TRIVIAL_CLEANUP_FUNC(char *, dm_deferred_remove_clean);
-static int validate_signature_userspace(const VeritySettings *verity) {
+static int validate_signature_userspace(const VeritySettings *verity, DissectImageFlags flags) {
+ int r;
+
+ if (!FLAGS_SET(flags, DISSECT_IMAGE_ALLOW_USERSPACE_VERITY)) {
+ log_debug("Userspace dm-verity signature authentication disabled via flag.");
+ return 0;
+ }
+
+ r = secure_getenv_bool("SYSTEMD_ALLOW_USERSPACE_VERITY");
+ if (r < 0 && r != -ENXIO) {
+ log_debug_errno(r, "Failed to parse $SYSTEMD_ALLOW_USERSPACE_VERITY environment variable, refusing userspace dm-verity signature authentication.");
+ return 0;
+ }
+ if (!r) {
+ log_debug("Userspace dm-verity signature authentication disabled via $SYSTEMD_ALLOW_USERSPACE_VERITY environment variable.");
+ return 0;
+ }
+
+ bool b;
+ r = proc_cmdline_get_bool("systemd.allow_userspace_verity", PROC_CMDLINE_TRUE_WHEN_MISSING, &b);
+ if (r < 0) {
+ log_debug_errno(r, "Failed to parse systemd.allow_userspace_verity= kernel command line option, refusing userspace dm-verity signature authentication.");
+ return 0;
+ }
+ if (!b) {
+ log_debug("Userspace dm-verity signature authentication disabled via systemd.allow_userspace_verity= kernel command line variable.");
+ return 0;
+ }
+
#if HAVE_OPENSSL
_cleanup_(sk_X509_free_allp) STACK_OF(X509) *sk = NULL;
_cleanup_strv_free_ char **certs = NULL;
@@ -2546,7 +2575,6 @@ static int validate_signature_userspace(const VeritySettings *verity) {
_cleanup_(BIO_freep) BIO *bio = NULL; /* 'bio' must be freed first, 's' second, hence keep this order
* of declaration in place, please */
const unsigned char *d;
- int r;
assert(verity);
assert(verity->root_hash);
@@ -2618,7 +2646,8 @@ static int validate_signature_userspace(const VeritySettings *verity) {
static int do_crypt_activate_verity(
struct crypt_device *cd,
const char *name,
- const VeritySettings *verity) {
+ const VeritySettings *verity,
+ DissectImageFlags flags) {
bool check_signature;
int r, k;
@@ -2628,7 +2657,7 @@ static int do_crypt_activate_verity(
assert(verity);
if (verity->root_hash_sig) {
- r = getenv_bool_secure("SYSTEMD_DISSECT_VERITY_SIGNATURE");
+ r = secure_getenv_bool("SYSTEMD_DISSECT_VERITY_SIGNATURE");
if (r < 0 && r != -ENXIO)
log_debug_errno(r, "Failed to parse $SYSTEMD_DISSECT_VERITY_SIGNATURE");
@@ -2663,7 +2692,7 @@ static int do_crypt_activate_verity(
/* Preferably propagate the original kernel error, so that the fallback logic can work,
* as the device-mapper is finicky around concurrent activations of the same volume */
- k = validate_signature_userspace(verity);
+ k = validate_signature_userspace(verity, flags);
if (k < 0)
return r < 0 ? r : k;
if (k == 0)
@@ -2784,7 +2813,7 @@ static int verity_partition(
goto check; /* The device already exists. Let's check it. */
/* The symlink to the device node does not exist yet. Assume not activated, and let's activate it. */
- r = do_crypt_activate_verity(cd, name, verity);
+ r = do_crypt_activate_verity(cd, name, verity, flags);
if (r >= 0)
goto try_open; /* The device is activated. Let's open it. */
/* libdevmapper can return EINVAL when the device is already in the activation stage.
@@ -3100,7 +3129,7 @@ int verity_settings_load(
if (is_device_path(image))
return 0;
- r = getenv_bool_secure("SYSTEMD_DISSECT_VERITY_SIDECAR");
+ r = secure_getenv_bool("SYSTEMD_DISSECT_VERITY_SIDECAR");
if (r < 0 && r != -ENXIO)
log_debug_errno(r, "Failed to parse $SYSTEMD_DISSECT_VERITY_SIDECAR, ignoring: %m");
if (r == 0)
@@ -3285,7 +3314,7 @@ int dissected_image_load_verity_sig_partition(
if (verity->root_hash && verity->root_hash_sig) /* Already loaded? */
return 0;
- r = getenv_bool_secure("SYSTEMD_DISSECT_VERITY_EMBEDDED");
+ r = secure_getenv_bool("SYSTEMD_DISSECT_VERITY_EMBEDDED");
if (r < 0 && r != -ENXIO)
log_debug_errno(r, "Failed to parse $SYSTEMD_DISSECT_VERITY_EMBEDDED, ignoring: %m");
if (r == 0)
@@ -3966,10 +3995,12 @@ int verity_dissect_and_mount(
if (r < 0)
return log_debug_errno(r, "Failed to load root hash: %m");
- dissect_image_flags = (verity.data_path ? DISSECT_IMAGE_NO_PARTITION_TABLE : 0) |
+ dissect_image_flags =
+ (verity.data_path ? DISSECT_IMAGE_NO_PARTITION_TABLE : 0) |
(relax_extension_release_check ? DISSECT_IMAGE_RELAX_EXTENSION_CHECK : 0) |
DISSECT_IMAGE_ADD_PARTITION_DEVICES |
- DISSECT_IMAGE_PIN_PARTITION_DEVICES;
+ DISSECT_IMAGE_PIN_PARTITION_DEVICES |
+ DISSECT_IMAGE_ALLOW_USERSPACE_VERITY;
/* Note that we don't use loop_device_make here, as the FD is most likely O_PATH which would not be
* accepted by LOOP_CONFIGURE, so just let loop_device_make_by_path reopen it as a regular FD. */
diff --git a/src/shared/dissect-image.h b/src/shared/dissect-image.h
index 2366a38397..559d5b861d 100644
--- a/src/shared/dissect-image.h
+++ b/src/shared/dissect-image.h
@@ -87,6 +87,7 @@ typedef enum DissectImageFlags {
DISSECT_IMAGE_DISKSEQ_DEVNODE = 1 << 23, /* Prefer /dev/disk/by-diskseq/… device nodes */
DISSECT_IMAGE_ALLOW_EMPTY = 1 << 24, /* Allow that no usable partitions is present */
DISSECT_IMAGE_TRY_ATOMIC_MOUNT_EXCHANGE = 1 << 25, /* Try to mount the image beneath the specified mountpoint, rather than on top of it, and then umount the top */
+ DISSECT_IMAGE_ALLOW_USERSPACE_VERITY = 1 << 26, /* Allow userspace verity keyring in /etc/verity.d/ and related dirs */
} DissectImageFlags;
struct DissectedImage {
diff --git a/src/shared/efi-loader.c b/src/shared/efi-loader.c
index 7d6bda924a..ab377aaa8b 100644
--- a/src/shared/efi-loader.c
+++ b/src/shared/efi-loader.c
@@ -262,7 +262,7 @@ int efi_measured_uki(int log_level) {
* being used, but it measured things into a different PCR than we are configured for in
* userspace. (i.e. we expect PCR 11 being used for this by both sd-stub and us) */
- r = getenv_bool_secure("SYSTEMD_FORCE_MEASURE"); /* Give user a chance to override the variable test,
+ r = secure_getenv_bool("SYSTEMD_FORCE_MEASURE"); /* Give user a chance to override the variable test,
* for debugging purposes */
if (r >= 0)
return (cached = r);
diff --git a/src/shared/mount-util.c b/src/shared/mount-util.c
index 77b18c375c..72fa4fee43 100644
--- a/src/shared/mount-util.c
+++ b/src/shared/mount-util.c
@@ -1214,7 +1214,9 @@ static int mount_in_namespace(
(void) mkdir_parents(dest, 0755);
if (img) {
- DissectImageFlags f = DISSECT_IMAGE_TRY_ATOMIC_MOUNT_EXCHANGE;
+ DissectImageFlags f =
+ DISSECT_IMAGE_TRY_ATOMIC_MOUNT_EXCHANGE |
+ DISSECT_IMAGE_ALLOW_USERSPACE_VERITY;
if (make_file_or_directory)
f |= DISSECT_IMAGE_MKDIR;
diff --git a/src/shared/netif-naming-scheme.c b/src/shared/netif-naming-scheme.c
index 38c24760f0..2955b6e8d5 100644
--- a/src/shared/netif-naming-scheme.c
+++ b/src/shared/netif-naming-scheme.c
@@ -53,7 +53,7 @@ const NamingScheme* naming_scheme(void) {
return cache;
/* Acquire setting from the kernel command line */
- (void) proc_cmdline_get_key("net.naming-scheme", 0, &buffer);
+ (void) proc_cmdline_get_key("net.naming_scheme", 0, &buffer);
/* Also acquire it from an env var */
e = getenv("NET_NAMING_SCHEME");
diff --git a/src/shared/pager.c b/src/shared/pager.c
index 19deefab56..9b8ae76700 100644
--- a/src/shared/pager.c
+++ b/src/shared/pager.c
@@ -175,7 +175,7 @@ void pager_open(PagerFlags flags) {
* pager. If they didn't, use secure mode when under euid is changed. If $SYSTEMD_PAGERSECURE
* wasn't explicitly set, and we autodetect the need for secure mode, only use the pager we
* know to be good. */
- int use_secure_mode = getenv_bool_secure("SYSTEMD_PAGERSECURE");
+ int use_secure_mode = secure_getenv_bool("SYSTEMD_PAGERSECURE");
bool trust_pager = use_secure_mode >= 0;
if (use_secure_mode == -ENXIO) {
uid_t uid;
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 00a8cedcb8..2469e24253 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -298,7 +298,7 @@ bool is_seccomp_available(void) {
if (cached_enabled < 0) {
int b;
- b = getenv_bool_secure("SYSTEMD_SECCOMP");
+ b = secure_getenv_bool("SYSTEMD_SECCOMP");
if (b != 0) {
if (b < 0 && b != -ENXIO) /* ENXIO: env var unset */
log_debug_errno(b, "Failed to parse $SYSTEMD_SECCOMP value, ignoring.");
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-12 10:55:52 +0100