[systemd-devel] Sysext questions
Itxaka Serrano Garcia
itxaka.garcia at spectrocloud.com
Wed Jun 5 16:28:47 UTC 2024
Hello again!
A few sysext questions that have arisen from our testing
- image policy is configurable but it's there a single config file where
we can put that so it's used system wide? For example to only allow
verity+signed? Service override?
- I can't see anything preventing a manual call to sysext refresh from
overriding the default policy, i.e if we set it at the service level in an
immutable system, nothing prevents someone from calling the sysext command
manually and override the image policy no?
- I also don't see anything that can run against a single sysext and
return a validity check, to check individual files conform to a given
policy for example? Any idea if there is something like that? Sysext verify
SYSEXT_FILE --image-policy=whatever
- I have also seen that having several extensions verity+signed, if there
is just one that it's not either verity or signed, the whole merge stops?
Is there any reasoning for that? Is that a bug? Should I open a bug for
this? IMHO it makes no sense as they are individual files so if something
does not match the policy it should just be skipped and the rest of the
extensions loaded anyway. But of course I have low visibility onto this, so
there may be good reasons for it.
I think thats all, thanks for reading!
Itxaka
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20240605/80dd2d9b/attachment.htm>
More information about the systemd-devel
mailing list