From: Alexander Larsson <alexl@redhat.com>
Date: Thu, 22 Feb 2024 11:10:41 +0000 (+0100)
Subject: prepare-root: Disallow hotfixes if using signed composefs images
X-Git-Tag: archive/raspbian/2024.8-1+rpi1^2~7^2~4^2~3^2
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=41fd55aa794809c759fdeb25052b5322ad87e524;p=ostree.git

prepare-root: Disallow hotfixes if using signed composefs images

As mentioned in https://github.com/ostreedev/ostree/issues/3187, we
can't allow a hotfix overlay of /usr when using signed composefs
images as that would allow an attacker to persist something used
across boots.
---

diff --git a/src/switchroot/ostree-prepare-root.c b/src/switchroot/ostree-prepare-root.c
index 34d277a0..572aa9b1 100644
--- a/src/switchroot/ostree-prepare-root.c
+++ b/src/switchroot/ostree-prepare-root.c
@@ -572,8 +572,10 @@ main (int argc, char *argv[])
    * with ostree admin unlock --hotfix.
    * Note however that root.transient as handled above is effectively a generalization of unlock
    * --hotfix.
+   * Also, hotfixes are incompatible with signed composefs use for security reasons.
    */
-  if (lstat (OTCORE_HOTFIX_USR_OVL_WORK, &stbuf) == 0)
+  if (lstat (OTCORE_HOTFIX_USR_OVL_WORK, &stbuf) == 0
+      && !(using_composefs && composefs_config->is_signed))
     {
       /* Do we have a persistent overlayfs for /usr?  If so, mount it now. */
       const char usr_ovl_options[]