From 78ebe98061eb527f17691929f470f262a7ab2c8f Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Fri, 23 Dec 2016 17:10:42 +0100 Subject: core,nspawn,dissect: make nspawn's .roothash file search reusable This makes nspawn's logic of automatically discovering the root hash of an image file generic, and then reuses it in systemd-dissect and in PID1's RootImage= logic, so that verity is automatically set up whenever we can. --- src/core/namespace.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) (limited to 'src/core/namespace.c') diff --git a/src/core/namespace.c b/src/core/namespace.c index 0ae5f704c7..75dca5b791 100644 --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -883,8 +883,11 @@ int setup_namespace( DissectImageFlags dissect_image_flags) { _cleanup_(loop_device_unrefp) LoopDevice *loop_device = NULL; + _cleanup_(decrypted_image_unrefp) DecryptedImage *decrypted_image = NULL; _cleanup_(dissected_image_unrefp) DissectedImage *dissected_image = NULL; + _cleanup_free_ void *root_hash = NULL; MountEntry *m, *mounts = NULL; + size_t root_hash_size = 0; bool make_slave = false; unsigned n_mounts; int r = 0; @@ -906,7 +909,15 @@ int setup_namespace( if (r < 0) return r; - r = dissect_image(loop_device->fd, NULL, 0, dissect_image_flags, &dissected_image); + r = root_hash_load(root_image, &root_hash, &root_hash_size); + if (r < 0) + return r; + + r = dissect_image(loop_device->fd, root_hash, root_hash_size, dissect_image_flags, &dissected_image); + if (r < 0) + return r; + + r = dissected_image_decrypt(dissected_image, NULL, root_hash, root_hash_size, dissect_image_flags, &decrypted_image); if (r < 0) return r; @@ -1038,6 +1049,10 @@ int setup_namespace( if (r < 0) goto finish; + r = decrypted_image_relinquish(decrypted_image); + if (r < 0) + goto finish; + loop_device_relinquish(loop_device); } else if (root_directory) { -- cgit v1.2.3-54-g00ecf