Hello again!
A few sysext questions that have arisen from our testing
- image policy is configurable but it's there a single config file where we can put that so it's used system wide? For example to only allow verity+signed? Service override?
- I can't see anything preventing a manual call to sysext refresh from overriding the default policy, i.e if we set it at the service level in an immutable system, nothing prevents someone from calling the sysext command manually and override the image policy no?
- I also don't see anything that can run against a single sysext and return a validity check, to check individual files conform to a given policy for example? Any idea if there is something like that? Sysext verify SYSEXT_FILE --image-policy=whatever
- I have also seen that having several extensions verity+signed, if there is just one that it's not either verity or signed, the whole merge stops? Is there any reasoning for that? Is that a bug? Should I open a bug for this? IMHO it makes no sense as they are individual files so if something does not match the policy it should just be skipped and the rest of the extensions loaded anyway. But of course I have low visibility onto this, so there may be good reasons for it.
I think thats all, thanks for reading!
Itxaka
