mirror of
https://github.com/morgan9e/systemd
synced 2026-04-14 08:25:20 +09:00
0bdd5ccc81
This new tool looks for a three xattr on the root inode of a file system that encode mount constraints of the file system. The tool is supposed to be hooke into the mount logic and is supposed to protect against misappropriating trusted file systems in unintended ways. Consider the following scenario: we boot up on first boot and create a tpm-locked pair of /var/ and /srv/ partitions via systemd-repart. An attacker then offline modifies the partition table, exchanging the metadata of the /var/ and /srv/ partition. So far we'd happily accept that, honour the modified metadata and boot up. This could be used to revert changes to /var/ or similar. And all that even though both partitions are encrypted and locked to TPM! With this new mechanism we can encode in the protected contents of the file systems the ways it can be used: the partition type uuid, the partition label and the intended mount point can be stored in xattrs, and we can check them automatically on mount, and take action on mismatch. (action would typically be immediate reboot).
24 lines
772 B
SYSTEMD
24 lines
772 B
SYSTEMD
# SPDX-License-Identifier: LGPL-2.1-or-later
|
|
#
|
|
# This file is part of systemd.
|
|
#
|
|
# systemd is free software; you can redistribute it and/or modify it
|
|
# under the terms of the GNU Lesser General Public License as published by
|
|
# the Free Software Foundation; either version 2.1 of the License, or
|
|
# (at your option) any later version.
|
|
|
|
[Unit]
|
|
Description=Validate File System Mount Constraints of %f
|
|
Documentation=man:systemd-validatefs@.service(8)
|
|
DefaultDependencies=no
|
|
BindsTo=%i.mount
|
|
Conflicts=shutdown.target
|
|
After=%i.mount
|
|
Before=shutdown.target systemd-pcrfs@%i.service systemd-quotacheck@%i.service systemd-growfs@%i.service
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
RemainAfterExit=yes
|
|
ExecStart={{LIBEXECDIR}}/systemd-validatefs --root=auto %f
|
|
FailureAction=reboot-immediate
|