This commit cleans up the includes for all the small tools across
the tree.
A few cases of returning EXIT_SUCCESS are replaced with returning
0 to avoid including <stdlib.h>.
Split out of #37344.
Previously, we'd only authenticate "one" of the subordinate devices of a
DM device, and which one was somewhat undefined, it would be what we
find in slaves/ first. This is in particular a problem with dm-verity
which generally has two subordinate devices: the data device and the
hash device.
Let's fix this properly. This means two things:
1. iterate through *all* subordinate devices of a DM device (i.e.
iterate through the sysfs slaves/ subdir), not just
one
2. permit configuring a list of gpt labels and gpt type uuids in the
xattrs of mount points, so that all valid combinations can be listed.
This only updates the validation like this. The generation of xattrs
that carry multiple type uuids/labels in systemd-repart will follow in a
later commit.
This extends the syntax of the two gpt-related xattrs, to allow lists of
things. This is a true extension, without breaking compat (but even if
it was, it wouldn't matter given that validatefs was added post v257,
i.e. is not included in a stable release.
Fixes: #37157
This new tool looks for a three xattr on the root inode of a file system
that encode mount constraints of the file system. The tool is supposed
to be hooke into the mount logic and is supposed to protect against
misappropriating trusted file systems in unintended ways.
Consider the following scenario: we boot up on first boot and create a
tpm-locked pair of /var/ and /srv/ partitions via systemd-repart. An
attacker then offline modifies the partition table, exchanging the
metadata of the /var/ and /srv/ partition. So far we'd happily accept
that, honour the modified metadata and boot up. This could be used to
revert changes to /var/ or similar. And all that even though both
partitions are encrypted and locked to TPM!
With this new mechanism we can encode in the protected contents of the
file systems the ways it can be used: the partition type uuid, the
partition label and the intended mount point can be stored in xattrs,
and we can check them automatically on mount, and take action on
mismatch. (action would typically be immediate reboot).
