Compare commits
7 Commits
19b0bab02d
...
bd6f434eb5
Author | SHA1 | Date |
---|---|---|
Timothée Ravier | bd6f434eb5 | |
Luca Boccassi | c4d7a13c06 | |
Abderrahim Kitouni | 0ae6f4843e | |
Yu Watanabe | 1ea1a79aa1 | |
Luca Boccassi | 7a9d0abe4d | |
Yu Watanabe | 6046cc3660 | |
Timothée Ravier | b4d2e2c185 |
|
@ -684,6 +684,15 @@ fi</programlisting>
|
||||||
<citerefentry><refentrytitle>file-hierarchy</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
|
<citerefentry><refentrytitle>file-hierarchy</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
|
<refsect1>
|
||||||
|
<title>Notes</title>
|
||||||
|
|
||||||
|
<para>
|
||||||
|
All example codes in this page are licensed under <literal>MIT No Attribution</literal>
|
||||||
|
(SPDX-License-Identifier: MIT-0).
|
||||||
|
</para>
|
||||||
|
</refsect1>
|
||||||
|
|
||||||
<refsect1>
|
<refsect1>
|
||||||
<title>See Also</title>
|
<title>See Also</title>
|
||||||
<para><simplelist type="inline">
|
<para><simplelist type="inline">
|
||||||
|
|
|
@ -16,6 +16,7 @@
|
||||||
#include "fileio.h"
|
#include "fileio.h"
|
||||||
#include "format-util.h"
|
#include "format-util.h"
|
||||||
#include "hexdecoct.h"
|
#include "hexdecoct.h"
|
||||||
|
#include "iovec-util.h"
|
||||||
#include "macro.h"
|
#include "macro.h"
|
||||||
#include "memory-util.h"
|
#include "memory-util.h"
|
||||||
#include "parse-util.h"
|
#include "parse-util.h"
|
||||||
|
@ -31,8 +32,7 @@ int decrypt_pkcs11_key(
|
||||||
const char *key_file, /* We either expect key_file and associated parameters to be set (for file keys) … */
|
const char *key_file, /* We either expect key_file and associated parameters to be set (for file keys) … */
|
||||||
size_t key_file_size,
|
size_t key_file_size,
|
||||||
uint64_t key_file_offset,
|
uint64_t key_file_offset,
|
||||||
const void *key_data, /* … or key_data and key_data_size (for literal keys) */
|
const struct iovec *key_data, /* … or literal keys via key_data */
|
||||||
size_t key_data_size,
|
|
||||||
usec_t until,
|
usec_t until,
|
||||||
AskPasswordFlags askpw_flags,
|
AskPasswordFlags askpw_flags,
|
||||||
void **ret_decrypted_key,
|
void **ret_decrypted_key,
|
||||||
|
@ -47,15 +47,15 @@ int decrypt_pkcs11_key(
|
||||||
|
|
||||||
assert(friendly_name);
|
assert(friendly_name);
|
||||||
assert(pkcs11_uri);
|
assert(pkcs11_uri);
|
||||||
assert(key_file || key_data);
|
assert(key_file || iovec_is_set(key_data));
|
||||||
assert(ret_decrypted_key);
|
assert(ret_decrypted_key);
|
||||||
assert(ret_decrypted_key_size);
|
assert(ret_decrypted_key_size);
|
||||||
|
|
||||||
/* The functions called here log about all errors, except for EAGAIN which means "token not found right now" */
|
/* The functions called here log about all errors, except for EAGAIN which means "token not found right now" */
|
||||||
|
|
||||||
if (key_data) {
|
if (iovec_is_set(key_data)) {
|
||||||
data.encrypted_key = (void*) key_data;
|
data.encrypted_key = (void*) key_data->iov_base;
|
||||||
data.encrypted_key_size = key_data_size;
|
data.encrypted_key_size = key_data->iov_len;
|
||||||
|
|
||||||
data.free_encrypted_key = false;
|
data.free_encrypted_key = false;
|
||||||
} else {
|
} else {
|
||||||
|
|
|
@ -16,8 +16,7 @@ int decrypt_pkcs11_key(
|
||||||
const char *key_file,
|
const char *key_file,
|
||||||
size_t key_file_size,
|
size_t key_file_size,
|
||||||
uint64_t key_file_offset,
|
uint64_t key_file_offset,
|
||||||
const void *key_data,
|
const struct iovec *key_data,
|
||||||
size_t key_data_size,
|
|
||||||
usec_t until,
|
usec_t until,
|
||||||
AskPasswordFlags askpw_flags,
|
AskPasswordFlags askpw_flags,
|
||||||
void **ret_decrypted_key,
|
void **ret_decrypted_key,
|
||||||
|
@ -39,8 +38,7 @@ static inline int decrypt_pkcs11_key(
|
||||||
const char *key_file,
|
const char *key_file,
|
||||||
size_t key_file_size,
|
size_t key_file_size,
|
||||||
uint64_t key_file_offset,
|
uint64_t key_file_offset,
|
||||||
const void *key_data,
|
const struct iovec *key_data,
|
||||||
size_t key_data_size,
|
|
||||||
usec_t until,
|
usec_t until,
|
||||||
AskPasswordFlags askpw_flags,
|
AskPasswordFlags askpw_flags,
|
||||||
void **ret_decrypted_key,
|
void **ret_decrypted_key,
|
||||||
|
|
|
@ -1471,8 +1471,7 @@ static int attach_luks_or_plain_or_bitlk_by_fido2(
|
||||||
struct crypt_device *cd,
|
struct crypt_device *cd,
|
||||||
const char *name,
|
const char *name,
|
||||||
const char *key_file,
|
const char *key_file,
|
||||||
const void *key_data,
|
const struct iovec *key_data,
|
||||||
size_t key_data_size,
|
|
||||||
usec_t until,
|
usec_t until,
|
||||||
uint32_t flags,
|
uint32_t flags,
|
||||||
bool pass_volume_key) {
|
bool pass_volume_key) {
|
||||||
|
@ -1489,7 +1488,7 @@ static int attach_luks_or_plain_or_bitlk_by_fido2(
|
||||||
assert(name);
|
assert(name);
|
||||||
assert(arg_fido2_device || arg_fido2_device_auto);
|
assert(arg_fido2_device || arg_fido2_device_auto);
|
||||||
|
|
||||||
if (arg_fido2_cid && !key_file && !key_data)
|
if (arg_fido2_cid && !key_file && !iovec_is_set(key_data))
|
||||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
||||||
"FIDO2 mode with manual parameters selected, but no keyfile specified, refusing.");
|
"FIDO2 mode with manual parameters selected, but no keyfile specified, refusing.");
|
||||||
|
|
||||||
|
@ -1513,7 +1512,7 @@ static int attach_luks_or_plain_or_bitlk_by_fido2(
|
||||||
arg_fido2_rp_id,
|
arg_fido2_rp_id,
|
||||||
arg_fido2_cid, arg_fido2_cid_size,
|
arg_fido2_cid, arg_fido2_cid_size,
|
||||||
key_file, arg_keyfile_size, arg_keyfile_offset,
|
key_file, arg_keyfile_size, arg_keyfile_offset,
|
||||||
key_data, key_data_size,
|
key_data,
|
||||||
until,
|
until,
|
||||||
arg_fido2_manual_flags,
|
arg_fido2_manual_flags,
|
||||||
"cryptsetup.fido2-pin",
|
"cryptsetup.fido2-pin",
|
||||||
|
@ -1623,8 +1622,7 @@ static int attach_luks_or_plain_or_bitlk_by_pkcs11(
|
||||||
struct crypt_device *cd,
|
struct crypt_device *cd,
|
||||||
const char *name,
|
const char *name,
|
||||||
const char *key_file,
|
const char *key_file,
|
||||||
const void *key_data,
|
const struct iovec *key_data,
|
||||||
size_t key_data_size,
|
|
||||||
usec_t until,
|
usec_t until,
|
||||||
uint32_t flags,
|
uint32_t flags,
|
||||||
bool pass_volume_key) {
|
bool pass_volume_key) {
|
||||||
|
@ -1635,6 +1633,7 @@ static int attach_luks_or_plain_or_bitlk_by_pkcs11(
|
||||||
_cleanup_(erase_and_freep) void *decrypted_key = NULL;
|
_cleanup_(erase_and_freep) void *decrypted_key = NULL;
|
||||||
_cleanup_(sd_event_unrefp) sd_event *event = NULL;
|
_cleanup_(sd_event_unrefp) sd_event *event = NULL;
|
||||||
_cleanup_free_ void *discovered_key = NULL;
|
_cleanup_free_ void *discovered_key = NULL;
|
||||||
|
struct iovec discovered_key_data = {};
|
||||||
int keyslot = arg_key_slot, r;
|
int keyslot = arg_key_slot, r;
|
||||||
const char *uri = NULL;
|
const char *uri = NULL;
|
||||||
bool use_libcryptsetup_plugin = use_token_plugins();
|
bool use_libcryptsetup_plugin = use_token_plugins();
|
||||||
|
@ -1653,13 +1652,13 @@ static int attach_luks_or_plain_or_bitlk_by_pkcs11(
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
uri = discovered_uri;
|
uri = discovered_uri;
|
||||||
key_data = discovered_key;
|
discovered_key_data = IOVEC_MAKE(discovered_key, discovered_key_size);
|
||||||
key_data_size = discovered_key_size;
|
key_data = &discovered_key_data;
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
uri = arg_pkcs11_uri;
|
uri = arg_pkcs11_uri;
|
||||||
|
|
||||||
if (!key_file && !key_data)
|
if (!key_file && !iovec_is_set(key_data))
|
||||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "PKCS#11 mode selected but no key file specified, refusing.");
|
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "PKCS#11 mode selected but no key file specified, refusing.");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1682,7 +1681,7 @@ static int attach_luks_or_plain_or_bitlk_by_pkcs11(
|
||||||
friendly,
|
friendly,
|
||||||
uri,
|
uri,
|
||||||
key_file, arg_keyfile_size, arg_keyfile_offset,
|
key_file, arg_keyfile_size, arg_keyfile_offset,
|
||||||
key_data, key_data_size,
|
key_data,
|
||||||
until,
|
until,
|
||||||
arg_ask_password_flags,
|
arg_ask_password_flags,
|
||||||
&decrypted_key, &decrypted_key_size);
|
&decrypted_key, &decrypted_key_size);
|
||||||
|
@ -2231,9 +2230,9 @@ static int attach_luks_or_plain_or_bitlk(
|
||||||
if (token_type == TOKEN_TPM2)
|
if (token_type == TOKEN_TPM2)
|
||||||
return attach_luks_or_plain_or_bitlk_by_tpm2(cd, name, key_file, key_data, until, flags, pass_volume_key);
|
return attach_luks_or_plain_or_bitlk_by_tpm2(cd, name, key_file, key_data, until, flags, pass_volume_key);
|
||||||
if (token_type == TOKEN_FIDO2)
|
if (token_type == TOKEN_FIDO2)
|
||||||
return attach_luks_or_plain_or_bitlk_by_fido2(cd, name, key_file, key_data->iov_base, key_data->iov_len, until, flags, pass_volume_key);
|
return attach_luks_or_plain_or_bitlk_by_fido2(cd, name, key_file, key_data, until, flags, pass_volume_key);
|
||||||
if (token_type == TOKEN_PKCS11)
|
if (token_type == TOKEN_PKCS11)
|
||||||
return attach_luks_or_plain_or_bitlk_by_pkcs11(cd, name, key_file, key_data->iov_base, key_data->iov_len, until, flags, pass_volume_key);
|
return attach_luks_or_plain_or_bitlk_by_pkcs11(cd, name, key_file, key_data, until, flags, pass_volume_key);
|
||||||
if (key_data)
|
if (key_data)
|
||||||
return attach_luks_or_plain_or_bitlk_by_key_data(cd, name, key_data, flags, pass_volume_key);
|
return attach_luks_or_plain_or_bitlk_by_key_data(cd, name, key_data, flags, pass_volume_key);
|
||||||
if (key_file)
|
if (key_file)
|
||||||
|
|
|
@ -24,8 +24,7 @@ int acquire_fido2_key(
|
||||||
const char *key_file,
|
const char *key_file,
|
||||||
size_t key_file_size,
|
size_t key_file_size,
|
||||||
uint64_t key_file_offset,
|
uint64_t key_file_offset,
|
||||||
const void *key_data,
|
const struct iovec *key_data,
|
||||||
size_t key_data_size,
|
|
||||||
usec_t until,
|
usec_t until,
|
||||||
Fido2EnrollFlags required,
|
Fido2EnrollFlags required,
|
||||||
const char *askpw_credential,
|
const char *askpw_credential,
|
||||||
|
@ -45,10 +44,10 @@ int acquire_fido2_key(
|
||||||
"Local verification is required to unlock this volume, but the 'headless' parameter was set.");
|
"Local verification is required to unlock this volume, but the 'headless' parameter was set.");
|
||||||
|
|
||||||
assert(cid);
|
assert(cid);
|
||||||
assert(key_file || key_data);
|
assert(key_file || iovec_is_set(key_data));
|
||||||
|
|
||||||
if (key_data)
|
if (iovec_is_set(key_data))
|
||||||
salt = IOVEC_MAKE(key_data, key_data_size);
|
salt = *key_data;
|
||||||
else {
|
else {
|
||||||
if (key_file_size > 0)
|
if (key_file_size > 0)
|
||||||
log_debug("Ignoring 'keyfile-size=' option for a FIDO2 salt file.");
|
log_debug("Ignoring 'keyfile-size=' option for a FIDO2 salt file.");
|
||||||
|
@ -252,7 +251,7 @@ int acquire_fido2_key_auto(
|
||||||
/* key_file= */ NULL, /* salt is read from LUKS header instead of key_file */
|
/* key_file= */ NULL, /* salt is read from LUKS header instead of key_file */
|
||||||
/* key_file_size= */ 0,
|
/* key_file_size= */ 0,
|
||||||
/* key_file_offset= */ 0,
|
/* key_file_offset= */ 0,
|
||||||
salt, salt_size,
|
&IOVEC_MAKE(salt, salt_size),
|
||||||
until,
|
until,
|
||||||
required,
|
required,
|
||||||
"cryptsetup.fido2-pin",
|
"cryptsetup.fido2-pin",
|
||||||
|
|
|
@ -20,8 +20,7 @@ int acquire_fido2_key(
|
||||||
const char *key_file,
|
const char *key_file,
|
||||||
size_t key_file_size,
|
size_t key_file_size,
|
||||||
uint64_t key_file_offset,
|
uint64_t key_file_offset,
|
||||||
const void *key_data,
|
const struct iovec *key_data,
|
||||||
size_t key_data_size,
|
|
||||||
usec_t until,
|
usec_t until,
|
||||||
Fido2EnrollFlags required,
|
Fido2EnrollFlags required,
|
||||||
const char *askpw_credential,
|
const char *askpw_credential,
|
||||||
|
@ -52,8 +51,7 @@ static inline int acquire_fido2_key(
|
||||||
const char *key_file,
|
const char *key_file,
|
||||||
size_t key_file_size,
|
size_t key_file_size,
|
||||||
uint64_t key_file_offset,
|
uint64_t key_file_offset,
|
||||||
const void *key_data,
|
const struct iovec *key_data,
|
||||||
size_t key_data_size,
|
|
||||||
usec_t until,
|
usec_t until,
|
||||||
Fido2EnrollFlags required,
|
Fido2EnrollFlags required,
|
||||||
const char *askpw_credential,
|
const char *askpw_credential,
|
||||||
|
|
|
@ -44,6 +44,7 @@
|
||||||
#include "pretty-print.h"
|
#include "pretty-print.h"
|
||||||
#include "process-util.h"
|
#include "process-util.h"
|
||||||
#include "rm-rf.h"
|
#include "rm-rf.h"
|
||||||
|
#include "selinux-util.h"
|
||||||
#include "sort-util.h"
|
#include "sort-util.h"
|
||||||
#include "string-table.h"
|
#include "string-table.h"
|
||||||
#include "string-util.h"
|
#include "string-util.h"
|
||||||
|
@ -1289,6 +1290,7 @@ static int mount_overlayfs_with_op(
|
||||||
|
|
||||||
int r;
|
int r;
|
||||||
const char *top_layer = NULL;
|
const char *top_layer = NULL;
|
||||||
|
int atfd = -1;
|
||||||
|
|
||||||
assert(op);
|
assert(op);
|
||||||
assert(overlay_path);
|
assert(overlay_path);
|
||||||
|
@ -1301,6 +1303,14 @@ static int mount_overlayfs_with_op(
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Failed to make directory '%s': %m", meta_path);
|
return log_error_errno(r, "Failed to make directory '%s': %m", meta_path);
|
||||||
|
|
||||||
|
atfd = open(meta_path, O_DIRECTORY|O_CLOEXEC);
|
||||||
|
if (atfd < 0)
|
||||||
|
return log_error_errno(atfd, "Failed to open directory '%s': %m", meta_path);
|
||||||
|
|
||||||
|
r = mac_selinux_fix_full(atfd, NULL, op->hierarchy, 0);
|
||||||
|
if (r < 0)
|
||||||
|
return log_error_errno(r, "Failed to fix SELinux label for '%s': %m", meta_path);
|
||||||
|
|
||||||
if (op->upper_dir && op->work_dir) {
|
if (op->upper_dir && op->work_dir) {
|
||||||
r = mkdir_p(op->work_dir, 0700);
|
r = mkdir_p(op->work_dir, 0700);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
|
@ -1325,9 +1335,10 @@ static int mount_overlayfs_with_op(
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int write_extensions_file(ImageClass image_class, char **extensions, const char *meta_path) {
|
static int write_extensions_file(ImageClass image_class, char **extensions, const char *meta_path, const char* hierarchy) {
|
||||||
_cleanup_free_ char *f = NULL, *buf = NULL;
|
_cleanup_free_ char *f = NULL, *buf = NULL;
|
||||||
int r;
|
int r;
|
||||||
|
int atfd = -1;
|
||||||
|
|
||||||
assert(extensions);
|
assert(extensions);
|
||||||
assert(meta_path);
|
assert(meta_path);
|
||||||
|
@ -1347,13 +1358,22 @@ static int write_extensions_file(ImageClass image_class, char **extensions, cons
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Failed to write extension meta file '%s': %m", f);
|
return log_error_errno(r, "Failed to write extension meta file '%s': %m", f);
|
||||||
|
|
||||||
|
atfd = open(f, O_CLOEXEC);
|
||||||
|
if (atfd < 0)
|
||||||
|
return log_error_errno(atfd, "Failed to open '%s': %m", f);
|
||||||
|
|
||||||
|
r = mac_selinux_fix_full(atfd, NULL, hierarchy, 0);
|
||||||
|
if (r < 0)
|
||||||
|
return log_error_errno(r, "Failed to fix SELinux label for '%s': %m", f);
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int write_dev_file(ImageClass image_class, const char *meta_path, const char *overlay_path) {
|
static int write_dev_file(ImageClass image_class, const char *meta_path, const char *overlay_path, const char *hierarchy) {
|
||||||
_cleanup_free_ char *f = NULL;
|
_cleanup_free_ char *f = NULL;
|
||||||
struct stat st;
|
struct stat st;
|
||||||
int r;
|
int r;
|
||||||
|
int atfd = -1;
|
||||||
|
|
||||||
assert(meta_path);
|
assert(meta_path);
|
||||||
assert(overlay_path);
|
assert(overlay_path);
|
||||||
|
@ -1376,13 +1396,22 @@ static int write_dev_file(ImageClass image_class, const char *meta_path, const c
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Failed to write '%s': %m", f);
|
return log_error_errno(r, "Failed to write '%s': %m", f);
|
||||||
|
|
||||||
|
atfd = open(f, O_CLOEXEC);
|
||||||
|
if (atfd < 0)
|
||||||
|
return log_error_errno(atfd, "Failed to open '%s': %m", f);
|
||||||
|
|
||||||
|
r = mac_selinux_fix_full(atfd, NULL, hierarchy, 0);
|
||||||
|
if (r < 0)
|
||||||
|
return log_error_errno(r, "Failed to fix SELinux label for '%s': %m", f);
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int write_work_dir_file(ImageClass image_class, const char *meta_path, const char *work_dir) {
|
static int write_work_dir_file(ImageClass image_class, const char *meta_path, const char *work_dir, const char* hierarchy) {
|
||||||
_cleanup_free_ char *escaped_work_dir_in_root = NULL, *f = NULL;
|
_cleanup_free_ char *escaped_work_dir_in_root = NULL, *f = NULL;
|
||||||
char *work_dir_in_root = NULL;
|
char *work_dir_in_root = NULL;
|
||||||
int r;
|
int r;
|
||||||
|
int atfd = -1;
|
||||||
|
|
||||||
assert(meta_path);
|
assert(meta_path);
|
||||||
|
|
||||||
|
@ -1401,6 +1430,14 @@ static int write_work_dir_file(ImageClass image_class, const char *meta_path, co
|
||||||
if (!f)
|
if (!f)
|
||||||
return log_oom();
|
return log_oom();
|
||||||
|
|
||||||
|
atfd = open(f, O_CLOEXEC);
|
||||||
|
if (atfd < 0)
|
||||||
|
return log_error_errno(atfd, "Failed to open '%s': %m", f);
|
||||||
|
|
||||||
|
r = mac_selinux_fix_full(atfd, NULL, hierarchy, 0);
|
||||||
|
if (r < 0)
|
||||||
|
return log_error_errno(r, "Failed to fix SELinux label for '%s': %m", f);
|
||||||
|
|
||||||
/* Paths can have newlines for whatever reason, so better escape them to really get a single
|
/* Paths can have newlines for whatever reason, so better escape them to really get a single
|
||||||
* line file. */
|
* line file. */
|
||||||
escaped_work_dir_in_root = cescape(work_dir_in_root);
|
escaped_work_dir_in_root = cescape(work_dir_in_root);
|
||||||
|
@ -1418,24 +1455,42 @@ static int store_info_in_meta(
|
||||||
char **extensions,
|
char **extensions,
|
||||||
const char *meta_path,
|
const char *meta_path,
|
||||||
const char *overlay_path,
|
const char *overlay_path,
|
||||||
const char *work_dir) {
|
const char *work_dir,
|
||||||
|
const char *hierarchy) {
|
||||||
|
_cleanup_free_ char *f = NULL;
|
||||||
int r;
|
int r;
|
||||||
|
int atfd = -1;
|
||||||
|
|
||||||
assert(extensions);
|
assert(extensions);
|
||||||
assert(meta_path);
|
assert(meta_path);
|
||||||
assert(overlay_path);
|
assert(overlay_path);
|
||||||
/* work_dir may be NULL */
|
/* work_dir may be NULL */
|
||||||
|
|
||||||
r = write_extensions_file(image_class, extensions, meta_path);
|
f = path_join(meta_path, image_class_info[image_class].dot_directory_name);
|
||||||
|
if (!f)
|
||||||
|
return log_oom();
|
||||||
|
|
||||||
|
r = mkdir_p(f, 0755);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
r = write_dev_file(image_class, meta_path, overlay_path);
|
atfd = open(f, O_CLOEXEC);
|
||||||
|
if (atfd < 0)
|
||||||
|
return log_error_errno(atfd, "Failed to open '%s': %m", f);
|
||||||
|
|
||||||
|
r = mac_selinux_fix_full(atfd, NULL, hierarchy, 0);
|
||||||
|
if (r < 0)
|
||||||
|
return log_error_errno(r, "Failed to fix SELinux label for '%s': %m", f);
|
||||||
|
|
||||||
|
r = write_extensions_file(image_class, extensions, meta_path, hierarchy);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
r = write_work_dir_file(image_class, meta_path, work_dir);
|
r = write_dev_file(image_class, meta_path, overlay_path, hierarchy);
|
||||||
|
if (r < 0)
|
||||||
|
return r;
|
||||||
|
|
||||||
|
r = write_work_dir_file(image_class, meta_path, work_dir, hierarchy);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
|
@ -1501,6 +1556,8 @@ static int merge_hierarchy(
|
||||||
assert(overlay_path);
|
assert(overlay_path);
|
||||||
assert(workspace_path);
|
assert(workspace_path);
|
||||||
|
|
||||||
|
mac_selinux_init();
|
||||||
|
|
||||||
r = determine_used_extensions(hierarchy, paths, &used_paths, &extensions_used);
|
r = determine_used_extensions(hierarchy, paths, &used_paths, &extensions_used);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
@ -1528,7 +1585,7 @@ static int merge_hierarchy(
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
r = store_info_in_meta(image_class, extensions, meta_path, overlay_path, op->work_dir);
|
r = store_info_in_meta(image_class, extensions, meta_path, overlay_path, op->work_dir, op->hierarchy);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
|
|
|
@ -1414,7 +1414,7 @@ static int verb_enable(int argc, char **argv, void *userdata) {
|
||||||
"SetFeatureEnabled",
|
"SetFeatureEnabled",
|
||||||
&error,
|
&error,
|
||||||
/* reply= */ NULL,
|
/* reply= */ NULL,
|
||||||
"sbt",
|
"sit",
|
||||||
*feature,
|
*feature,
|
||||||
(int) enable,
|
(int) enable,
|
||||||
UINT64_C(0));
|
UINT64_C(0));
|
||||||
|
|
Loading…
Reference in New Issue