From f4a63ce25f1b672fa2e5b52462ac925bb0027291 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 28 Feb 2024 13:17:03 +0100
Subject: dissect-image: add flag for explicitly enabling userspace verity
 signature checking

let's make userspace verity signature checking optional. This adds a
dissection flag to enable the logic and patches through all our users to
enable it by default, thus effectively not changing anything from the
status quo ante. However, know we have a knob to turn this off in
certain scenarios.
---
 src/sysusers/sysusers.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'src/sysusers')

diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c
index 6e28b1cf8f..cc1c0a0205 100644
--- a/src/sysusers/sysusers.c
+++ b/src/sysusers/sysusers.c
@@ -2247,7 +2247,8 @@ static int run(int argc, char *argv[]) {
                                 DISSECT_IMAGE_VALIDATE_OS |
                                 DISSECT_IMAGE_RELAX_VAR_CHECK |
                                 DISSECT_IMAGE_FSCK |
-                                DISSECT_IMAGE_GROWFS,
+                                DISSECT_IMAGE_GROWFS |
+                                DISSECT_IMAGE_ALLOW_USERSPACE_VERITY,
                                 &mounted_dir,
                                 /* ret_dir_fd= */ NULL,
                                 &loop_device);
-- 
cgit v1.2.3