diff options
| author | maanyagoenka <maanyagoenka@microsoft.com> | 2023-02-24 00:37:52 +0000 |
|---|---|---|
| committer | maanyagoenka <maanyagoenka@microsoft.com> | 2023-04-05 21:50:04 +0000 |
| commit | b60e0f577740af89516f7c74967d7182637f27af (patch) | |
| tree | a384a6b2ab9435acc7feb1958948995b9238b2e3 | |
| parent | 7393530f223a48528a045b10575668ed5b0e6a44 (diff) | |
| download | systemd-b60e0f577740af89516f7c74967d7182637f27af.tar.gz | |
os-util: add a new confext image type and the ability to parse their release files
Adds a new image type called IMAGE_CONFEXT which is similar to IMAGE_SYSEXT but works
for the /etc/ directory instead of /usr/ and /opt/. This commit also adds the ability to
parse the release file that is present with the confext image in /etc/confext-release.d/
directory.
| -rw-r--r-- | TODO | 24 | ||||
| -rw-r--r-- | src/basic/os-util.c | 63 | ||||
| -rw-r--r-- | src/basic/os-util.h | 29 | ||||
| -rw-r--r-- | src/core/namespace.c | 2 | ||||
| -rw-r--r-- | src/portable/portable.c | 10 | ||||
| -rw-r--r-- | src/shared/discover-image.c | 18 | ||||
| -rw-r--r-- | src/shared/discover-image.h | 12 | ||||
| -rw-r--r-- | src/shared/dissect-image.c | 6 | ||||
| -rw-r--r-- | src/sysext/sysext.c | 4 |
9 files changed, 98 insertions, 70 deletions
@@ -521,13 +521,13 @@ Features: * add support for asymmetric LUKS2 TPM based encryption. i.e. allow preparing an encrypted image on some host given a public key belonging to a specific other host, so that only hosts possessing the private key in the TPM2 chip - can decrypt the volume key and activate the volume. Usecase: systemd-syscfg - for a central orchestrator to generate syscfg images securely that can only + can decrypt the volume key and activate the volume. Usecase: systemd-confext + for a central orchestrator to generate confext images securely that can only be activated on one specific host (which can be used for installing a bunch of creds in /etc/credstore/ for example). Extending on this: allow binding LUKS2 TPM based encryption also to the TPM2 internal clock. Net result: - prepare a syscfg image that can only be activated on a specific host that - runs a specific software in a specific time window. syscfg would be + prepare a confext image that can only be activated on a specific host that + runs a specific software in a specific time window. confext would be automatically invalidated outside of it. * maybe add a "systemd-report" tool, that generates a TPM2-backed "report" of @@ -538,17 +538,17 @@ Features: this: have the report tool upload these reports every 3min somewhere. Then have the orchestrator collect these reports centrally over a 3min time window, and use them to determine what which node should now start/stop what, - and generate a small syscfg for each node, that uses Uphold= to pin services - on each node. The syscfg would be encrypted using the asymmetric encryption + and generate a small confext for each node, that uses Uphold= to pin services + on each node. The confext would be encrypted using the asymmetric encryption proposed above, so that it can only be activated on the specific host, if the software is in a good state, and within a specific time frame. Then run a loop on each node that sends report to orchestrator and then sysupdate to - update syscfg. Orchestrator would be stateless, i.e. operate on desired + update confext. Orchestrator would be stateless, i.e. operate on desired config and collected reports in the last 3min time window only, and thus can be trivially scaled up since all instances of the orchestrator should come to the same conclusions given the same inputs of reports/desired workload info. Could also be used to deliver Wireguard secrets and thus to clients, thus - permitting zero-trust networking: secrets are rolled over via syscfg updates, + permitting zero-trust networking: secrets are rolled over via confext updates, and via the time window TPM logic invalidated if node doesn't keep itself updated, or becomes corrupted in some way. @@ -597,7 +597,7 @@ Features: keyring, so that the kernel does this validation for us for verity and kernel modules -* for systemd-syscfg: add a tool that can generate suitable DDIs with verity + +* for systemd-confext: add a tool that can generate suitable DDIs with verity + sig using squashfs-tools-ng's library. Maybe just systemd-repart called under a new name with a built-in config? @@ -914,12 +914,6 @@ Features: * sysext: measure all activated sysext into a TPM PCR -* maybe add a "syscfg" concept, that is almost entirely identical to "sysext", - but operates on /etc/ instead of /usr/ and /opt/. Use case would be: trusted, - authenticated, atomic, additive configuration management primitive: drop in a - configuration bundle, and activate it, so that it is instantly visible, - comprehensively. - * systemd-dissect: show available versions inside of a disk image, i.e. if multiple versions are around of the same resource, show which ones. (in other words: show partition labels). diff --git a/src/basic/os-util.c b/src/basic/os-util.c index c8b23b10e4..8cb8d9302b 100644 --- a/src/basic/os-util.c +++ b/src/basic/os-util.c @@ -19,6 +19,21 @@ #include "utf8.h" #include "xattr-util.h" +/* Helper struct for naming simplicity and reusability */ +static const struct { + const char *release_file_directory; + const char *release_file_path_prefix; +} image_class_release_info[_IMAGE_CLASS_MAX] = { + [IMAGE_SYSEXT] = { + .release_file_directory = "/usr/lib/extension-release.d/", + .release_file_path_prefix = "/usr/lib/extension-release.d/extension-release.", + }, + [IMAGE_CONFEXT] = { + .release_file_directory = "/etc/extension-release.d/", + .release_file_path_prefix = "/etc/extension-release.d/extension-release.", + } +}; + bool image_name_is_valid(const char *s) { if (!filename_is_valid(s)) return false; @@ -36,10 +51,12 @@ bool image_name_is_valid(const char *s) { return true; } -int path_is_extension_tree(const char *path, const char *extension, bool relax_extension_release_check) { +int path_is_extension_tree(ImageClass image_class, const char *path, const char *extension, bool relax_extension_release_check) { int r; assert(path); + assert(image_class >= 0); + assert(image_class < _IMAGE_CLASS_MAX); /* Does the path exist at all? If not, generate an error immediately. This is useful so that a missing root dir * always results in -ENOENT, and we can properly distinguish the case where the whole root doesn't exist from @@ -48,8 +65,9 @@ int path_is_extension_tree(const char *path, const char *extension, bool relax_e return -errno; /* We use /usr/lib/extension-release.d/extension-release[.NAME] as flag for something being a system extension, + * /etc/extension-release.d/extension-release[.NAME] as flag for something being a system configuration, and finally, * and {/etc|/usr/lib}/os-release as a flag for something being an OS (when not an extension). */ - r = open_extension_release(path, extension, relax_extension_release_check, NULL, NULL); + r = open_extension_release(path, image_class, extension, relax_extension_release_check, NULL, NULL); if (r == -ENOENT) /* We got nothing */ return 0; if (r < 0) @@ -96,18 +114,21 @@ static int extension_release_strict_xattr_value(int extension_release_fd, const return false; } -int open_extension_release(const char *root, const char *extension, bool relax_extension_release_check, char **ret_path, int *ret_fd) { +int open_extension_release(const char *root, ImageClass image_class, const char *extension, bool relax_extension_release_check, char **ret_path, int *ret_fd) { _cleanup_free_ char *q = NULL; int r, fd; if (extension) { + assert(image_class >= 0); + assert(image_class < _IMAGE_CLASS_MAX); + const char *extension_full_path; if (!image_name_is_valid(extension)) return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "The extension name %s is invalid.", extension); - extension_full_path = strjoina("/usr/lib/extension-release.d/extension-release.", extension); + extension_full_path = strjoina(image_class_release_info[image_class].release_file_path_prefix, extension); r = chase(extension_full_path, root, CHASE_PREFIX_ROOT, ret_path ? &q : NULL, ret_fd ? &fd : NULL); log_full_errno_zerook(LOG_DEBUG, MIN(r, 0), "Checking for %s: %m", extension_full_path); @@ -120,10 +141,10 @@ int open_extension_release(const char *root, const char *extension, bool relax_e _cleanup_free_ char *extension_release_dir_path = NULL; _cleanup_closedir_ DIR *extension_release_dir = NULL; - r = chase_and_opendir("/usr/lib/extension-release.d/", root, CHASE_PREFIX_ROOT, + r = chase_and_opendir(image_class_release_info[image_class].release_file_directory, root, CHASE_PREFIX_ROOT, &extension_release_dir_path, &extension_release_dir); if (r < 0) - return log_debug_errno(r, "Cannot open %s/usr/lib/extension-release.d/, ignoring: %m", root); + return log_debug_errno(r, "Cannot open %s%s, ignoring: %m", root, image_class_release_info[image_class].release_file_directory); r = -ENOENT; FOREACH_DIRENT(de, extension_release_dir, return -errno) { @@ -137,7 +158,7 @@ int open_extension_release(const char *root, const char *extension, bool relax_e continue; if (!image_name_is_valid(image_name)) { - log_debug("%s/%s is not a valid extension-release file name, ignoring.", + log_debug("%s/%s is not a valid release file name, ignoring.", extension_release_dir_path, de->d_name); continue; } @@ -149,7 +170,7 @@ int open_extension_release(const char *root, const char *extension, bool relax_e O_PATH|O_CLOEXEC|O_NOFOLLOW); if (extension_release_fd < 0) return log_debug_errno(errno, - "Failed to open extension-release file %s/%s: %m", + "Failed to open release file %s/%s: %m", extension_release_dir_path, de->d_name); @@ -219,16 +240,16 @@ int open_extension_release(const char *root, const char *extension, bool relax_e return 0; } -int fopen_extension_release(const char *root, const char *extension, bool relax_extension_release_check, char **ret_path, FILE **ret_file) { +int fopen_extension_release(const char *root, ImageClass image_class, const char *extension, bool relax_extension_release_check, char **ret_path, FILE **ret_file) { _cleanup_free_ char *p = NULL; _cleanup_close_ int fd = -EBADF; FILE *f; int r; if (!ret_file) - return open_extension_release(root, extension, relax_extension_release_check, ret_path, NULL); + return open_extension_release(root, image_class, extension, relax_extension_release_check, ret_path, NULL); - r = open_extension_release(root, extension, relax_extension_release_check, ret_path ? &p : NULL, &fd); + r = open_extension_release(root, image_class, extension, relax_extension_release_check, ret_path ? &p : NULL, &fd); if (r < 0) return r; @@ -243,24 +264,27 @@ int fopen_extension_release(const char *root, const char *extension, bool relax_ return 0; } -static int parse_release_internal(const char *root, bool relax_extension_release_check, const char *extension, va_list ap) { +static int parse_release_internal(const char *root, ImageClass image_class, bool relax_extension_release_check, const char *extension, va_list ap) { _cleanup_fclose_ FILE *f = NULL; _cleanup_free_ char *p = NULL; int r; - r = fopen_extension_release(root, extension, relax_extension_release_check, &p, &f); + r = fopen_extension_release(root, image_class, extension, relax_extension_release_check, &p, &f); if (r < 0) return r; return parse_env_filev(f, p, ap); } -int _parse_extension_release(const char *root, bool relax_extension_release_check, const char *extension, ...) { +int _parse_extension_release(const char *root, ImageClass image_class, bool relax_extension_release_check, const char *extension, ...) { va_list ap; int r; + assert(image_class >= 0); + assert(image_class < _IMAGE_CLASS_MAX); + va_start(ap, extension); - r = parse_release_internal(root, relax_extension_release_check, extension, ap); + r = parse_release_internal(root, image_class, relax_extension_release_check, extension, ap); va_end(ap); return r; @@ -271,7 +295,7 @@ int _parse_os_release(const char *root, ...) { int r; va_start(ap, root); - r = parse_release_internal(root, /* relax_extension_release_check= */ false, NULL, ap); + r = parse_release_internal(root, -1, /* relax_extension_release_check= */ false, NULL, ap); va_end(ap); return r; @@ -318,12 +342,15 @@ int load_os_release_pairs_with_prefix(const char *root, const char *prefix, char return 0; } -int load_extension_release_pairs(const char *root, const char *extension, bool relax_extension_release_check, char ***ret) { +int load_extension_release_pairs(const char *root, ImageClass image_class, const char *extension, bool relax_extension_release_check, char ***ret) { _cleanup_fclose_ FILE *f = NULL; _cleanup_free_ char *p = NULL; int r; - r = fopen_extension_release(root, extension, relax_extension_release_check, &p, &f); + assert(image_class >= 0); + assert(image_class < _IMAGE_CLASS_MAX); + + r = fopen_extension_release(root, image_class, extension, relax_extension_release_check, &p, &f); if (r < 0) return r; diff --git a/src/basic/os-util.h b/src/basic/os-util.h index 3bafeaeb92..2f641ba9cd 100644 --- a/src/basic/os-util.h +++ b/src/basic/os-util.h @@ -5,33 +5,44 @@ #include <stdio.h> #include "time-util.h" +typedef enum ImageClass { + IMAGE_MACHINE, + IMAGE_PORTABLE, + IMAGE_SYSEXT, + IMAGE_CONFEXT, + _IMAGE_CLASS_MAX, + _IMAGE_CLASS_INVALID = -EINVAL, +} ImageClass; + +const char* image_class_to_string(ImageClass cl) _const_; +ImageClass image_class_from_string(const char *s) _pure_; /* The *_extension_release flavours will look for /usr/lib/extension-release/extension-release.NAME * in accordance with the OS extension specification, rather than for /usr/lib/ or /etc/os-release. */ bool image_name_is_valid(const char *s) _pure_; -int path_is_extension_tree(const char *path, const char *extension, bool relax_extension_release_check); +int path_is_extension_tree(ImageClass image_class, const char *path, const char *extension, bool relax_extension_release_check); static inline int path_is_os_tree(const char *path) { - return path_is_extension_tree(path, NULL, false); + return path_is_extension_tree(IMAGE_SYSEXT, path, NULL, false); } -int open_extension_release(const char *root, const char *extension, bool relax_extension_release_check, char **ret_path, int *ret_fd); +int open_extension_release(const char *root, ImageClass image_class, const char *extension, bool relax_extension_release_check, char **ret_path, int *ret_fd); static inline int open_os_release(const char *root, char **ret_path, int *ret_fd) { - return open_extension_release(root, NULL, false, ret_path, ret_fd); + return open_extension_release(root, IMAGE_SYSEXT, NULL, false, ret_path, ret_fd); } -int fopen_extension_release(const char *root, const char *extension, bool relax_extension_release_check, char **ret_path, FILE **ret_file); +int fopen_extension_release(const char *root, ImageClass image_class, const char *extension, bool relax_extension_release_check, char **ret_path, FILE **ret_file); static inline int fopen_os_release(const char *root, char **ret_path, FILE **ret_file) { - return fopen_extension_release(root, NULL, false, ret_path, ret_file); + return fopen_extension_release(root, IMAGE_SYSEXT, NULL, false, ret_path, ret_file); } -int _parse_extension_release(const char *root, bool relax_extension_release_check, const char *extension, ...) _sentinel_; +int _parse_extension_release(const char *root, ImageClass image_class, bool relax_extension_release_check, const char *extension, ...) _sentinel_; int _parse_os_release(const char *root, ...) _sentinel_; -#define parse_extension_release(root, relax_extension_release_check, extension, ...) _parse_extension_release(root, relax_extension_release_check, extension, __VA_ARGS__, NULL) +#define parse_extension_release(root, image_class, relax_extension_release_check, extension, ...) _parse_extension_release(root, image_class, relax_extension_release_check, extension, __VA_ARGS__, NULL) #define parse_os_release(root, ...) _parse_os_release(root, __VA_ARGS__, NULL) -int load_extension_release_pairs(const char *root, const char *extension, bool relax_extension_release_check, char ***ret); +int load_extension_release_pairs(const char *root, ImageClass image_class, const char *extension, bool relax_extension_release_check, char ***ret); int load_os_release_pairs(const char *root, char ***ret); int load_os_release_pairs_with_prefix(const char *root, const char *prefix, char ***ret); diff --git a/src/core/namespace.c b/src/core/namespace.c index 8b141a2484..531970ee15 100644 --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -1423,7 +1423,7 @@ static int apply_one_mount( if (isempty(host_os_release_id)) return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "'ID' field not found or empty in 'os-release' data of OS tree '%s': %m", empty_to_root(root_directory)); - r = load_extension_release_pairs(mount_entry_source(m), extension_name, /* relax_extension_release_check= */ false, &extension_release); + r = load_extension_release_pairs(mount_entry_source(m), IMAGE_SYSEXT, extension_name, /* relax_extension_release_check= */ false, &extension_release); if (r == -ENOENT && m->ignore) return 0; if (r < 0) diff --git a/src/portable/portable.c b/src/portable/portable.c index adfd846bab..1878157e65 100644 --- a/src/portable/portable.c +++ b/src/portable/portable.c @@ -198,7 +198,7 @@ static int extract_now( /* First, find os-release/extension-release and send it upstream (or just save it). */ if (path_is_extension) { os_release_id = strjoina("/usr/lib/extension-release.d/extension-release.", image_name); - r = open_extension_release(where, image_name, relax_extension_release_check, &os_release_path, &os_release_fd); + r = open_extension_release(where, IMAGE_SYSEXT, image_name, relax_extension_release_check, &os_release_path, &os_release_fd); } else { os_release_id = "/etc/os-release"; r = open_os_release(where, &os_release_path, &os_release_fd); @@ -948,17 +948,17 @@ static int append_release_log_fields( static const char *const field_versions[_IMAGE_CLASS_MAX][4]= { [IMAGE_PORTABLE] = { "IMAGE_VERSION", "VERSION_ID", "BUILD_ID", NULL }, - [IMAGE_EXTENSION] = { "SYSEXT_IMAGE_VERSION", "SYSEXT_VERSION_ID", "SYSEXT_BUILD_ID", NULL }, + [IMAGE_SYSEXT] = { "SYSEXT_IMAGE_VERSION", "SYSEXT_VERSION_ID", "SYSEXT_BUILD_ID", NULL }, }; static const char *const field_ids[_IMAGE_CLASS_MAX][3]= { [IMAGE_PORTABLE] = { "IMAGE_ID", "ID", NULL }, - [IMAGE_EXTENSION] = { "SYSEXT_IMAGE_ID", "SYSEXT_ID", NULL }, + [IMAGE_SYSEXT] = { "SYSEXT_IMAGE_ID", "SYSEXT_ID", NULL }, }; _cleanup_strv_free_ char **fields = NULL; const char *id = NULL, *version = NULL; int r; - assert(IN_SET(type, IMAGE_PORTABLE, IMAGE_EXTENSION)); + assert(IN_SET(type, IMAGE_PORTABLE, IMAGE_SYSEXT)); assert(!strv_isempty((char *const *)field_ids[type])); assert(!strv_isempty((char *const *)field_versions[type])); assert(field_name); @@ -1106,7 +1106,7 @@ static int install_chroot_dropin( * still be able to identify what applies to what. */ r = append_release_log_fields(&text, ordered_hashmap_get(extension_releases, ext->name), - IMAGE_EXTENSION, + IMAGE_SYSEXT, "PORTABLE_EXTENSION_NAME_AND_VERSION"); if (r < 0) return r; diff --git a/src/shared/discover-image.c b/src/shared/discover-image.c index eed0a5629e..0343d2e20b 100644 --- a/src/shared/discover-image.c +++ b/src/shared/discover-image.c @@ -63,9 +63,14 @@ static const char* const image_search_path[_IMAGE_CLASS_MAX] = { * because extension images are supposed to extend /usr/, so you get into recursive races, especially * with directory-based extensions, as the kernel's OverlayFS explicitly checks for this and errors * out with -ELOOP if it finds that a lowerdir= is a child of another lowerdir=. */ - [IMAGE_EXTENSION] = "/etc/extensions\0" /* only place symlinks here */ - "/run/extensions\0" /* and here too */ - "/var/lib/extensions\0", /* the main place for images */ + [IMAGE_SYSEXT] = "/etc/extensions\0" /* only place symlinks here */ + "/run/extensions\0" /* and here too */ + "/var/lib/extensions\0", /* the main place for images */ + + [IMAGE_CONFEXT] = "/run/confexts\0" /* only place symlinks here */ + "/var/lib/confexts\0" /* the main place for images */ + "/usr/local/lib/confexts\0" + "/usr/lib/confexts\0", }; static Image *image_free(Image *i) { @@ -1152,7 +1157,7 @@ int image_read_metadata(Image *i) { _cleanup_free_ char *hostname = NULL; _cleanup_free_ char *path = NULL; - if (i->class == IMAGE_EXTENSION) { + if (i->class == IMAGE_SYSEXT) { r = extension_has_forbidden_content(i->path); if (r < 0) return r; @@ -1190,7 +1195,7 @@ int image_read_metadata(Image *i) { if (r < 0) log_debug_errno(r, "Failed to read os-release in image, ignoring: %m"); - r = load_extension_release_pairs(i->path, i->name, /* relax_extension_release_check= */ false, &extension_release); + r = load_extension_release_pairs(i->path, i->class, i->name, /* relax_extension_release_check= */ false, &extension_release); if (r < 0) log_debug_errno(r, "Failed to read extension-release in image, ignoring: %m"); @@ -1325,7 +1330,8 @@ DEFINE_STRING_TABLE_LOOKUP(image_type, ImageType); static const char* const image_class_table[_IMAGE_CLASS_MAX] = { [IMAGE_MACHINE] = "machine", [IMAGE_PORTABLE] = "portable", - [IMAGE_EXTENSION] = "extension", + [IMAGE_SYSEXT] = "extension", + [IMAGE_CONFEXT] = "confext" }; DEFINE_STRING_TABLE_LOOKUP(image_class, ImageClass); diff --git a/src/shared/discover-image.h b/src/shared/discover-image.h index 3c6928619c..342b161577 100644 --- a/src/shared/discover-image.h +++ b/src/shared/discover-image.h @@ -9,18 +9,11 @@ #include "hashmap.h" #include "lock-util.h" #include "macro.h" +#include "os-util.h" #include "path-util.h" #include "string-util.h" #include "time-util.h" -typedef enum ImageClass { - IMAGE_MACHINE, - IMAGE_PORTABLE, - IMAGE_EXTENSION, - _IMAGE_CLASS_MAX, - _IMAGE_CLASS_INVALID = -EINVAL, -} ImageClass; - typedef enum ImageType { IMAGE_DIRECTORY, IMAGE_SUBVOLUME, @@ -77,9 +70,6 @@ int image_read_only(Image *i, bool b); const char* image_type_to_string(ImageType t) _const_; ImageType image_type_from_string(const char *s) _pure_; -const char* image_class_to_string(ImageClass cl) _const_; -ImageClass image_class_from_string(const char *s) _pure_; - int image_path_lock(const char *path, int operation, LockFile *global, LockFile *local); int image_name_lock(const char *name, int operation, LockFile *ret); diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c index 6000af0ce0..03dcd45e35 100644 --- a/src/shared/dissect-image.c +++ b/src/shared/dissect-image.c @@ -1791,7 +1791,7 @@ int dissected_image_mount( if (r < 0) return r; if (r == 0) { - r = path_is_extension_tree(where, m->image_name, FLAGS_SET(flags, DISSECT_IMAGE_RELAX_SYSEXT_CHECK)); + r = path_is_extension_tree(IMAGE_SYSEXT, where, m->image_name, FLAGS_SET(flags, DISSECT_IMAGE_RELAX_SYSEXT_CHECK)); if (r < 0) return r; if (r > 0) @@ -3054,7 +3054,7 @@ int dissected_image_acquire_metadata(DissectedImage *m, DissectImageFlags extra_ * we allow a fallback that matches on the first extension-release * file found in the directory, if one named after the image cannot * be found first. */ - r = open_extension_release(t, m->image_name, /* relax_extension_release_check= */ false, NULL, &fd); + r = open_extension_release(t, IMAGE_SYSEXT, m->image_name, /* relax_extension_release_check= */ false, NULL, &fd); if (r < 0) fd = r; /* Propagate the error. */ break; @@ -3606,7 +3606,7 @@ int verity_dissect_and_mount( assert(!isempty(required_host_os_release_id)); - r = load_extension_release_pairs(dest, dissected_image->image_name, relax_extension_release_check, &extension_release); + r = load_extension_release_pairs(dest, IMAGE_SYSEXT, dissected_image->image_name, relax_extension_release_check, &extension_release); if (r < 0) return log_debug_errno(r, "Failed to parse image %s extension-release metadata: %m", dissected_image->image_name); diff --git a/src/sysext/sysext.c b/src/sysext/sysext.c index 5632b72f3d..e7d8e801fc 100644 --- a/src/sysext/sysext.c +++ b/src/sysext/sysext.c @@ -729,7 +729,7 @@ static int image_discover_and_read_metadata(Hashmap **ret_images) { if (!images) return log_oom(); - r = image_discover(IMAGE_EXTENSION, arg_root, images); + r = image_discover(IMAGE_SYSEXT, arg_root, images); if (r < 0) return log_error_errno(r, "Failed to discover extension images: %m"); @@ -832,7 +832,7 @@ static int verb_list(int argc, char **argv, void *userdata) { if (!images) return log_oom(); - r = image_discover(IMAGE_EXTENSION, arg_root, images); + r = image_discover(IMAGE_SYSEXT, arg_root, images); if (r < 0) return log_error_errno(r, "Failed to discover extension images: %m"); |