From 41fd55aa794809c759fdeb25052b5322ad87e524 Mon Sep 17 00:00:00 2001 From: Alexander Larsson Date: Thu, 22 Feb 2024 12:10:41 +0100 Subject: [PATCH] prepare-root: Disallow hotfixes if using signed composefs images As mentioned in https://github.com/ostreedev/ostree/issues/3187, we can't allow a hotfix overlay of /usr when using signed composefs images as that would allow an attacker to persist something used across boots. --- src/switchroot/ostree-prepare-root.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/switchroot/ostree-prepare-root.c b/src/switchroot/ostree-prepare-root.c index 34d277a020..572aa9b1b8 100644 --- a/src/switchroot/ostree-prepare-root.c +++ b/src/switchroot/ostree-prepare-root.c @@ -572,8 +572,10 @@ main (int argc, char *argv[]) * with ostree admin unlock --hotfix. * Note however that root.transient as handled above is effectively a generalization of unlock * --hotfix. + * Also, hotfixes are incompatible with signed composefs use for security reasons. */ - if (lstat (OTCORE_HOTFIX_USR_OVL_WORK, &stbuf) == 0) + if (lstat (OTCORE_HOTFIX_USR_OVL_WORK, &stbuf) == 0 + && !(using_composefs && composefs_config->is_signed)) { /* Do we have a persistent overlayfs for /usr? If so, mount it now. */ const char usr_ovl_options[]