discover-image: automaticaly pick up sysext images from /.extra/sysext

2024-07-21 10:17:21 +00:00 · 2022-12-13 16:27:38 +01:00 · 2022-12-13 16:27:38 +01:00 · 73740c9f84
parent a62e12dad1
commit 73740c9f84
2 changed files with 26 additions and 3 deletions
--- a/src/shared/discover-image.c
+++ b/src/shared/discover-image.c
@ -28,6 +28,7 @@
 #include "hashmap.h"
 #include "hostname-setup.h"
 #include "id128-util.h"
+#include "initrd-util.h"
 #include "lock-util.h"
 #include "log.h"
 #include "loop-util.h"
@ -68,6 +69,19 @@ static const char* const image_search_path[_IMAGE_CLASS_MAX] = {
                            "/var/lib/extensions\0",        /* the main place for images */
 };

+/* Inside the initrd, use a slightly different set of search path (i.e. include .extra/sysext in extension
+ * search dir) */
+static const char* const image_search_path_initrd[_IMAGE_CLASS_MAX] = {
+        /* (entries that aren't listed here will get the same search path as for the non initrd-case) */
+
+        [IMAGE_EXTENSION] = "/etc/extensions\0"             /* only place symlinks here */
+                            "/run/extensions\0"             /* and here too */
+                            "/var/lib/extensions\0"         /* the main place for images */
+                            "/usr/local/lib/extensions\0"
+                            "/usr/lib/extensions\0"
+                            "/.extra/sysext\0"              /* put sysext picked up by systemd-stub last, since not trusted */
+};
+
 static Image *image_free(Image *i) {
        assert(i);

@ -441,6 +455,14 @@ static int image_make(
        return -EMEDIUMTYPE;
 }

+static const char *pick_image_search_path(ImageClass class) {
+        if (class < 0 || class >= _IMAGE_CLASS_MAX)
+                return NULL;
+
+        /* Use the initrd search path if there is one, otherwise use the common one */
+        return in_initrd() && image_search_path_initrd[class] ? image_search_path_initrd[class] : image_search_path[class];
+}
+
 int image_find(ImageClass class,
               const char *name,
               const char *root,
@ -456,7 +478,7 @@ int image_find(ImageClass class,
        if (!image_name_is_valid(name))
                return -ENOENT;

-        NULSTR_FOREACH(path, image_search_path[class]) {
+        NULSTR_FOREACH(path, pick_image_search_path(class)) {
                _cleanup_free_ char *resolved = NULL;
                _cleanup_closedir_ DIR *d = NULL;
                struct stat st;
@ -555,7 +577,7 @@ int image_discover(
        assert(class < _IMAGE_CLASS_MAX);
        assert(h);

-        NULSTR_FOREACH(path, image_search_path[class]) {
+        NULSTR_FOREACH(path, pick_image_search_path(class)) {
                _cleanup_free_ char *resolved = NULL;
                _cleanup_closedir_ DIR *d = NULL;

@ -1284,7 +1306,7 @@ bool image_in_search_path(

        assert(image);

-        NULSTR_FOREACH(path, image_search_path[class]) {
+        NULSTR_FOREACH(path, pick_image_search_path(class)) {
                const char *p, *q;
                size_t k;

--- a/units/systemd-sysext.service
+++ b/units/systemd-sysext.service
@ -15,6 +15,7 @@ ConditionCapability=CAP_SYS_ADMIN
 ConditionDirectoryNotEmpty=|/etc/extensions
 ConditionDirectoryNotEmpty=|/run/extensions
 ConditionDirectoryNotEmpty=|/var/lib/extensions
+ConditionDirectoryNotEmpty=|/.extra/sysext

 DefaultDependencies=no
 After=local-fs.target