summaryrefslogtreecommitdiff
path: root/src/core
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2016-12-23 17:10:42 +0100
committerLennart Poettering <lennart@poettering.net>2017-02-07 12:21:28 +0100
commit78ebe98061eb527f17691929f470f262a7ab2c8f (patch)
tree59683606cfb85012fb77d4416a95ffa4144c0acd /src/core
parent915e6d1676cf73c4f927f3bbfa21ee82640b1832 (diff)
core,nspawn,dissect: make nspawn's .roothash file search reusable
This makes nspawn's logic of automatically discovering the root hash of an image file generic, and then reuses it in systemd-dissect and in PID1's RootImage= logic, so that verity is automatically set up whenever we can.
Diffstat (limited to 'src/core')
-rw-r--r--src/core/namespace.c17
1 files changed, 16 insertions, 1 deletions
diff --git a/src/core/namespace.c b/src/core/namespace.c
index 0ae5f704c7..75dca5b791 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -883,8 +883,11 @@ int setup_namespace(
DissectImageFlags dissect_image_flags) {
_cleanup_(loop_device_unrefp) LoopDevice *loop_device = NULL;
+ _cleanup_(decrypted_image_unrefp) DecryptedImage *decrypted_image = NULL;
_cleanup_(dissected_image_unrefp) DissectedImage *dissected_image = NULL;
+ _cleanup_free_ void *root_hash = NULL;
MountEntry *m, *mounts = NULL;
+ size_t root_hash_size = 0;
bool make_slave = false;
unsigned n_mounts;
int r = 0;
@@ -906,7 +909,15 @@ int setup_namespace(
if (r < 0)
return r;
- r = dissect_image(loop_device->fd, NULL, 0, dissect_image_flags, &dissected_image);
+ r = root_hash_load(root_image, &root_hash, &root_hash_size);
+ if (r < 0)
+ return r;
+
+ r = dissect_image(loop_device->fd, root_hash, root_hash_size, dissect_image_flags, &dissected_image);
+ if (r < 0)
+ return r;
+
+ r = dissected_image_decrypt(dissected_image, NULL, root_hash, root_hash_size, dissect_image_flags, &decrypted_image);
if (r < 0)
return r;
@@ -1038,6 +1049,10 @@ int setup_namespace(
if (r < 0)
goto finish;
+ r = decrypted_image_relinquish(decrypted_image);
+ if (r < 0)
+ goto finish;
+
loop_device_relinquish(loop_device);
} else if (root_directory) {