mountfsd: Try to polkit auth when the verity key is not available

If we include a verity signature but the corresponding key is not in
the kernel keyring or userspace, try to get polkit auth similar to how
we do the same if the image doesn't pass the policy.

man/systemd.mstack.xml

@@ -50,7 +50,7 @@
       they be missing.</para></listitem>
 
       <listitem><para>A <filename>bind@<replaceable>location</replaceable>/</filename> directory will be bind
-      mounted to the mount point indicated by the <variable>location</variable> identifier, in read-write
+      mounted to the mount point indicated by the <varname>location</varname> identifier, in read-write
       fashion. The location is encoded via the same escaping logic used for naming <literal>.mount</literal>
       units, i.e. slashes become dashes.</para></listitem>
 

po/de.po

@@ -5,7 +5,7 @@
 # Benjamin Steinwender <b@stbe.at>, 2014.
 # Bernd Homuth <dev@hmt.im>, 2015.
 # Fabian Affolter <mail@fabian-affolter.ch>, 2020.
-# Ettore Atalan <atalanttore@googlemail.com>, 2021, 2024.
+# Ettore Atalan <atalanttore@googlemail.com>, 2021, 2024, 2026.
 # Christian Wehrli <christian@chw.onl>, 2021.
 # Christian Kirbach <christian.kirbach@gmail.com>, 2023.
 # Jarne Förster <fedora@mymailclient.de>, 2024.
@@ -16,8 +16,8 @@ msgid ""
 msgstr ""
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2025-11-26 01:17+0000\n"
-"PO-Revision-Date: 2025-11-11 11:42+0000\n"
+"PO-Revision-Date: 2026-02-22 23:58+0000\n"
-"Last-Translator: Marcel Leismann <tiixrigjekfv@use.startmail.com>\n"
+"Last-Translator: Ettore Atalan <atalanttore@googlemail.com>\n"
 "Language-Team: German <https://translate.fedoraproject.org/projects/systemd/"
 "main/de/>\n"
 "Language: de\n"
@@ -25,7 +25,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=n != 1;\n"
-"X-Generator: Weblate 5.14.3\n"
+"X-Generator: Weblate 5.16\n"
 
 #: src/core/org.freedesktop.systemd1.policy.in:22
 msgid "Send passphrase back to system"
@@ -592,8 +592,8 @@ msgstr "Nicht angemeldetem Benutzer die Ausführung von Programmen erlauben"
 #: src/login/org.freedesktop.login1.policy:129
 msgid "Explicit request is required to run programs as a non-logged-in user."
 msgstr ""
-"Eine explizite Anfrage ist notwendig, um Programme als nicht angemeldeter "
+"Explizite Anfrage ist erforderlich, damit nicht angemeldete Benutzer "
-"Benutzer auszuführen."
+"Programme ausführen dürfen."
 
 #: src/login/org.freedesktop.login1.policy:138
 msgid "Allow non-logged-in users to run programs"

po/he.po

@@ -1,12 +1,12 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later
 #
-# Yaron Shahrabani <sh.yaron@gmail.com>, 2023, 2024.
+# Yaron Shahrabani <sh.yaron@gmail.com>, 2023, 2024, 2026.
 msgid ""
 msgstr ""
 "Project-Id-Version: systemd\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2025-11-26 01:17+0000\n"
-"PO-Revision-Date: 2024-11-19 07:38+0000\n"
+"PO-Revision-Date: 2026-02-22 23:58+0000\n"
 "Last-Translator: Yaron Shahrabani <sh.yaron@gmail.com>\n"
 "Language-Team: Hebrew <https://translate.fedoraproject.org/projects/systemd/"
 "main/he/>\n"
@@ -16,7 +16,7 @@ msgstr ""
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=4; plural=(n == 1) ? 0 : ((n == 2) ? 1 : ((n > 10 && "
 "n % 10 == 0) ? 2 : 3));\n"
-"X-Generator: Weblate 5.8.2\n"
+"X-Generator: Weblate 5.16\n"
 
 #: src/core/org.freedesktop.systemd1.policy.in:22
 msgid "Send passphrase back to system"
@@ -140,12 +140,11 @@ msgstr "נדרש אימות כדי להפעיל אזור בית של משתמש.
 
 #: src/home/org.freedesktop.home1.policy:93
 msgid "Manage Home Directory Signing Keys"
-msgstr ""
+msgstr "ניהול מפתחות חתימת תיקיית הבית"
 
 #: src/home/org.freedesktop.home1.policy:94
-#, fuzzy
 msgid "Authentication is required to manage signing keys for home directories."
-msgstr "נדרש אימות כדי לנהל שירותי מערכת או יחידות אחרות."
+msgstr "נדרש אימות כדי לנהל מפתחות חתימה לתיקיות בית."
 
 #: src/home/pam_systemd_home.c:333
 #, c-format
@@ -809,16 +808,14 @@ msgstr ""
 "נדרש אימות כדי ליצור מכונות וירטואליות (VM) או מכולות (container) מקומיות."
 
 #: src/machine/org.freedesktop.machine1.policy:106
-#, fuzzy
 msgid "Register a local virtual machine or container"
-msgstr "יצירת מכונה וירטואלית או מכולה מקומיות"
+msgstr "רישום מכונה וירטואלית או מכולה מקומיות"
 
 #: src/machine/org.freedesktop.machine1.policy:107
-#, fuzzy
 msgid ""
 "Authentication is required to register a local virtual machine or container."
 msgstr ""
-"נדרש אימות כדי ליצור מכונות וירטואליות (VM) או מכולות (container) מקומיות."
+"נדרש אימות כדי לרשום מכונות וירטואליות (VM) או מכולות (container) מקומיות."
 
 #: src/machine/org.freedesktop.machine1.policy:116
 msgid "Manage local virtual machine and container images"
@@ -1038,12 +1035,11 @@ msgstr "נדרש אימות כדי להירשם לתוצאות שאילתה."
 
 #: src/resolve/org.freedesktop.resolve1.policy:154
 msgid "Subscribe to DNS configuration"
-msgstr ""
+msgstr "מינוי להגדרות DNS"
 
 #: src/resolve/org.freedesktop.resolve1.policy:155
-#, fuzzy
 msgid "Authentication is required to subscribe to DNS configuration."
-msgstr "נדרש אימות כדי להירשם לתוצאות שאילתה."
+msgstr "נדרש אימות כדי להירשם להגדרות DNS."
 
 #: src/resolve/org.freedesktop.resolve1.policy:165
 msgid "Dump cache"
@@ -1116,9 +1112,8 @@ msgid "Manage optional features"
 msgstr "ניהול יכולות רשות"
 
 #: src/sysupdate/org.freedesktop.sysupdate1.policy:76
-#, fuzzy
 msgid "Authentication is required to manage optional features."
-msgstr "נדרש אימות כדי לנהל יכולות רשות"
+msgstr "נדרש אימות כדי לנהל יכולות רשות."
 
 #: src/timedate/org.freedesktop.timedate1.policy:22
 msgid "Set system time"
@@ -1182,11 +1177,10 @@ msgid ""
 msgstr "נדרש אימות כדי לשלוח אות יוניקס לתהליכים של ‚$(unit)’."
 
 #: src/core/dbus-unit.c:620
-#, fuzzy
 msgid ""
 "Authentication is required to send a UNIX signal to the processes of "
 "subgroup of '$(unit)'."
-msgstr "נדרש אימות כדי לשלוח אות יוניקס לתהליכים של ‚$(unit)’."
+msgstr "נדרש אימות כדי לשלוח אות יוניקס לתהליכים של תת־קבוצה של ‚$(unit)’."
 
 #: src/core/dbus-unit.c:648
 msgid "Authentication is required to reset the \"failed\" state of '$(unit)'."

src/mountfsd/mountwork.c

@@ -633,24 +633,76 @@ static int vl_method_mount_image(
         if (r < 0)
                 return r;
 
-        r = dissected_image_decrypt(
+        for (;;) {
-                        di,
+                use_policy = image_policy_free(use_policy);
-                        /* root= */ NULL,
+                ps = mfree(ps);
-                        p.password,
+
-                        &verity,
+                /* We use the image policy for trusted images if either the path is below a trusted
-                        use_policy,
+                 * directory, or if we have already acquired a PK authentication that tells us that untrusted
-                        dissect_flags);
+                 * images are OK */
-        if (r == -ENOKEY) /* new dm-verity userspace returns ENOKEY if the dm-verity signature key is not in
+                bool use_trusted_policy =
-                           * key chain. That's great. */
+                        image_is_trusted ||
-                return sd_varlink_error(link, "io.systemd.MountFileSystem.KeyNotFound", NULL);
+                        polkit_have_untrusted_action;
-        if (r == -EBUSY) /* DM kernel subsystem is shit with returning useful errors hence we keep retrying
+
-                          * under the assumption that some errors are transitional. Which the errors might
+                r = determine_image_policy(
-                          * not actually be. After all retries failed we return EBUSY. Let's turn that into a
+                                image_fd,
-                          * generic Verity error. It's not very helpful, could mean anything, but at least it
+                                use_trusted_policy,
-                          * gives client a clear idea that this has to do with Verity. */
+                                p.image_policy,
-                return sd_varlink_error(link, "io.systemd.MountFileSystem.VerityFailure", NULL);
+                                &use_policy);
-        if (r < 0)
+                if (r < 0)
-                return r;
+                        return r;
+
+                r = image_policy_to_string(use_policy, /* simplify= */ true, &ps);
+                if (r < 0)
+                        return r;
+
+                log_debug("Using image policy: %s", ps);
+
+                r = dissected_image_decrypt(
+                                di,
+                                /* root= */ NULL,
+                                p.password,
+                                &verity,
+                                use_policy,
+                                dissect_flags);
+                if (r == -EDESTADDRREQ) {
+                        /* new dm-verity userspace returns ENOKEY if the dm-verity signature key is not in
+                         * key chain which we mangle to EDESTADDRREQ. That's great. */
+
+                        if (!polkit_have_untrusted_action) {
+                                 log_debug("Missing verity key in kernel and userspace. Trying a stronger polkit authentication before continuing.");
+                                 r = varlink_verify_polkit_async_full(
+                                                 link,
+                                                 /* bus= */ NULL,
+                                                 polkit_untrusted_action,
+                                                 polkit_details,
+                                                 /* good_user= */ UID_INVALID,
+                                                 /* flags= */ 0,                   /* NB: the image cannot be authenticated, hence unless PK is around to allow this anyway, fail! */
+                                                 polkit_registry);
+                                 if (r <= 0 && !ERRNO_IS_NEG_PRIVILEGE(r))
+                                         return r;
+                                 if (r > 0) {
+                                         /* Try again, now that we know the client has enough privileges. */
+                                         log_debug("Missing verity key in kernel and userspace, retrying after polkit authentication.");
+                                         polkit_have_untrusted_action = true;
+                                         continue;
+                                 }
+                         }
+
+                        return sd_varlink_error(link, "io.systemd.MountFileSystem.KeyNotFound", NULL);
+                }
+                if (r == -EBUSY) /* DM kernel subsystem is bad at returning useful errors hence we keep retrying
+                                  * under the assumption that some errors are transitional. Which the errors might
+                                  * not actually be. After all retries failed we return EBUSY. Let's turn that into a
+                                  * generic Verity error. It's not very helpful, could mean anything, but at least it
+                                  * gives client a clear idea that this has to do with Verity. */
+                        return sd_varlink_error(link, "io.systemd.MountFileSystem.VerityFailure", NULL);
+                if (r < 0)
+                        return r;
+
+                /* Success */
+                break;
+        }
 
         r = dissected_image_mount(
                         di,