diff --git a/SOURCES/0854-manager-limit-access-to-private-dbus-socket.patch b/SOURCES/0854-manager-limit-access-to-private-dbus-socket.patch new file mode 100644 index 0000000..42ff3fa --- /dev/null +++ b/SOURCES/0854-manager-limit-access-to-private-dbus-socket.patch @@ -0,0 +1,44 @@ +From 004130ae74688eb321aadc05192bab69fe5cbcbf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Fri, 22 Jul 2022 11:45:12 +0200 +Subject: [PATCH] manager: limit access to private dbus socket + +For the system manager, /run/systemd/private is publicly accessible, because +/run/systemd is 0755, and /run/systemd/private is 0777. For the user manager, +/run/user/ is 0700, and /run/user//systemd/private is 0777. This +does not directly cause any security issue because we check the sender in +bus_check_peercred (ucred.uid != 0 && ucred.uid != geteuid()). + +But it makes sense to limit access to the socket to avoid wasting time in PID1. +Somebody could send messages there that'd we'd reject anyway. It also makes +things more explicit. + +(cherry picked from commit df1cbd1adf26071aab41d96e054452a3d66103a4) + +Resolves: #2119405 +--- + src/core/dbus.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/core/dbus.c b/src/core/dbus.c +index 66d838cdb4..ec6c52cb85 100644 +--- a/src/core/dbus.c ++++ b/src/core/dbus.c +@@ -42,6 +42,7 @@ + #include "string-util.h" + #include "strv.h" + #include "strxcpyx.h" ++#include "umask-util.h" + #include "user-util.h" + + #define CONNECTIONS_MAX 4096 +@@ -1019,7 +1020,8 @@ int bus_init_private(Manager *m) { + if (fd < 0) + return log_error_errno(errno, "Failed to allocate private socket: %m"); + +- r = bind(fd, &sa.sa, salen); ++ RUN_WITH_UMASK(0077) ++ r = bind(fd, &sa.sa, salen); + if (r < 0) + return log_error_errno(errno, "Failed to bind private socket: %m"); + diff --git a/SOURCES/0855-journalctl-do-not-treat-EINTR-as-an-error-when-waiti.patch b/SOURCES/0855-journalctl-do-not-treat-EINTR-as-an-error-when-waiti.patch new file mode 100644 index 0000000..d53c85d --- /dev/null +++ b/SOURCES/0855-journalctl-do-not-treat-EINTR-as-an-error-when-waiti.patch @@ -0,0 +1,35 @@ +From b0574acc0bddceb0af47f6cce327a87041ab4b52 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Sun, 11 Nov 2018 12:33:06 +0100 +Subject: [PATCH] journalctl: do not treat EINTR as an error when waiting for + events + +Fixup for 2a1e0f2228bbdfbc18635e959f47df7da50b62fe. Fixes #10724. + +Reproducer: start 'journalctl -f' in a terminal window, change window size. +(cherry picked from commit 8e143a123276a9636987b08f555603927ca9e186) + +Resolves: #2161683 +--- + src/journal/journalctl.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c +index fa83dce562..228cfe7e49 100644 +--- a/src/journal/journalctl.c ++++ b/src/journal/journalctl.c +@@ -2084,8 +2084,13 @@ static int wait_for_change(sd_journal *j, int poll_fd) { + if (r < 0) + return log_error_errno(r, "Failed to determine journal waiting time: %m"); + +- if (ppoll(pollfds, ELEMENTSOF(pollfds), timeout == USEC_INFINITY ? NULL : timespec_store(&ts, timeout), NULL) < 0) ++ if (ppoll(pollfds, ELEMENTSOF(pollfds), ++ timeout == USEC_INFINITY ? NULL : timespec_store(&ts, timeout), NULL) < 0) { ++ if (errno == EINTR) ++ return 0; ++ + return log_error_errno(errno, "Couldn't wait for journal event: %m"); ++ } + + if (pollfds[1].revents & (POLLHUP|POLLERR)) { /* STDOUT has been closed? */ + log_debug("Standard output has been closed."); diff --git a/SOURCES/0856-core-bring-manager_startup-and-manager_reload-more-i.patch b/SOURCES/0856-core-bring-manager_startup-and-manager_reload-more-i.patch new file mode 100644 index 0000000..e785fdf --- /dev/null +++ b/SOURCES/0856-core-bring-manager_startup-and-manager_reload-more-i.patch @@ -0,0 +1,76 @@ +From b9dd7ee5f4d0f6d51899d7e14ac7ef2fd2840b8f Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 9 Oct 2018 17:37:57 +0200 +Subject: [PATCH] core: bring manager_startup() and manager_reload() more + inline + +Both functions do partly the same, let's make sure they do it in the +same order, and that we don't miss some calls. + +This makes a number of changes: + +1. Moves exec_runtime_vacuum() two calls down in manager_startup(). This + should not have any effect but makes manager_startup() more like + manager_reload(). + +2. Calls manager_recheck_journal(), manager_recheck_dbus(), + manager_enqueue_sync_bus_names() in manager_startup() too. This is a + good idea since during reeexec we pass through manager_startup() and + hence can't assume dbus and journald weren't up yet, hence let's + check if they are ready to be connected to. + +3. Include manager_enumerate_perpetual() in manager_reload(), too. This + is not strictly necessary, since these units are included in the + serialization anyway, but it's still a nice thing, in particular as + theoretically the deserialization could fail. + +(cherry picked from commit 3ad2afb6a204513c7834c64ab864e40169874390) + +Resolves: #2059633 +--- + src/core/manager.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/src/core/manager.c b/src/core/manager.c +index e083596e58..4a9f9bfcf9 100644 +--- a/src/core/manager.c ++++ b/src/core/manager.c +@@ -1665,12 +1665,12 @@ int manager_startup(Manager *m, FILE *serialization, FDSet *fds) { + /* Release any dynamic users no longer referenced */ + dynamic_user_vacuum(m, true); + +- exec_runtime_vacuum(m); +- + /* Release any references to UIDs/GIDs no longer referenced, and destroy any IPC owned by them */ + manager_vacuum_uid_refs(m); + manager_vacuum_gid_refs(m); + ++ exec_runtime_vacuum(m); ++ + if (serialization) { + assert(m->n_reloading > 0); + m->n_reloading--; +@@ -1681,6 +1681,13 @@ int manager_startup(Manager *m, FILE *serialization, FDSet *fds) { + m->send_reloading_done = true; + } + ++ /* It might be safe to log to the journal now and connect to dbus */ ++ manager_recheck_journal(m); ++ manager_recheck_dbus(m); ++ ++ /* Sync current state of bus names with our set of listening units */ ++ (void) manager_enqueue_sync_bus_names(m); ++ + /* Let's finally catch up with any changes that took place while we were reloading/reexecing */ + manager_catchup(m); + +@@ -3505,7 +3512,8 @@ int manager_reload(Manager *m) { + lookup_paths_reduce(&m->lookup_paths); + manager_build_unit_path_cache(m); + +- /* First, enumerate what we can from all config files */ ++ /* First, enumerate what we can from kernel and suchlike */ ++ manager_enumerate_perpetual(m); + manager_enumerate(m); + + /* Second, deserialize our stored data */ diff --git a/SOURCES/0857-pam-add-a-call-to-pam_namespace.patch b/SOURCES/0857-pam-add-a-call-to-pam_namespace.patch new file mode 100644 index 0000000..8825e9e --- /dev/null +++ b/SOURCES/0857-pam-add-a-call-to-pam_namespace.patch @@ -0,0 +1,35 @@ +From b1b7aaf83414c5b0bed6e61d38aefe29a21fdbcf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 23 Nov 2022 16:09:56 +0100 +Subject: [PATCH] pam: add a call to pam_namespace + +A call to pam_namespace is required so that children of user@.service end up in +a namespace as expected. pam_namespace gets called as part of the stack that +creates a session (login, sshd, gdm, etc.) and those processes end up in a +namespace, but it also needs to be called from our stack which is parallel and +descends from pid1 itself. + +The call to pam_namespace is similar to the call to pam_keyinit that was added +in ab79099d1684457d040ee7c28b2012e8c1ea9a4f. The pam stack for user@.service +creates a new session which is disconnected from the parent environment. Both +calls are not suitable for inclusion in the shared part of the stack (e.g. +@system-auth on Fedora/RHEL systems), because for example su/sudo/runuser +should not include them. + +(cherry picked from commit 0ef48896d9f23b9fd547a532a4e6e6b8f8b12901) + +Resolves: #1861836 +--- + src/login/systemd-user.m4 | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/login/systemd-user.m4 b/src/login/systemd-user.m4 +index 20c8999331..eb291beaed 100644 +--- a/src/login/systemd-user.m4 ++++ b/src/login/systemd-user.m4 +@@ -9,4 +9,5 @@ session required pam_selinux.so nottys open + )m4_dnl + session required pam_loginuid.so + session optional pam_keyinit.so force revoke ++session required pam_namespace.so + session optional pam_systemd.so diff --git a/SOURCES/0858-virt-Support-detection-for-ARM64-Hyper-V-guests.patch b/SOURCES/0858-virt-Support-detection-for-ARM64-Hyper-V-guests.patch new file mode 100644 index 0000000..8f71336 --- /dev/null +++ b/SOURCES/0858-virt-Support-detection-for-ARM64-Hyper-V-guests.patch @@ -0,0 +1,31 @@ +From 4b573adbcc040fa50f1130cb8cf1bdb9559565cf Mon Sep 17 00:00:00 2001 +From: Boqun Feng +Date: Wed, 13 Oct 2021 11:32:09 +0800 +Subject: [PATCH] virt: Support detection for ARM64 Hyper-V guests + +The detection of Microsoft Hyper-V VMs is done by cpuid currently, +however there is no cpuid on ARM64. And since ARM64 is now a supported +architecture for Microsoft Hyper-V guests[1], then use DMI tables to +detect a Hyper-V guest, which is more generic and works for ARM64. + +[1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7aff79e297ee1aa0126924921fd87a4ae59d2467 + +(cherry picked from commit 506bbc8569014253ea8614b680ccbc4fc2513a87) + +Resolves: #2158307 +--- + src/basic/virt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/basic/virt.c b/src/basic/virt.c +index 00d1c894e6..cc95097101 100644 +--- a/src/basic/virt.c ++++ b/src/basic/virt.c +@@ -162,6 +162,7 @@ static int detect_vm_dmi_vendor(void) { + { "Parallels", VIRTUALIZATION_PARALLELS }, + /* https://wiki.freebsd.org/bhyve */ + { "BHYVE", VIRTUALIZATION_BHYVE }, ++ { "Microsoft", VIRTUALIZATION_MICROSOFT }, + }; + unsigned i; + int r; diff --git a/SOURCES/0859-virt-Fix-the-detection-for-Hyper-V-VMs.patch b/SOURCES/0859-virt-Fix-the-detection-for-Hyper-V-VMs.patch new file mode 100644 index 0000000..8a91e30 --- /dev/null +++ b/SOURCES/0859-virt-Fix-the-detection-for-Hyper-V-VMs.patch @@ -0,0 +1,41 @@ +From e732bc987f2f779e89f30193bf694e0456ab7ce0 Mon Sep 17 00:00:00 2001 +From: Boqun Feng +Date: Tue, 23 Nov 2021 15:09:26 +0800 +Subject: [PATCH] virt: Fix the detection for Hyper-V VMs + +Use product_version instead of product_name in DMI table and the string +"Hyper-V" to avoid misdetection. + +Fixes: #21468 + +Signed-off-by: Boqun Feng +(cherry picked from commit 76eec0649936d9ae2f9087769f463feaf0cf5cb4) + +Related: #2158307 +--- + src/basic/virt.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/basic/virt.c b/src/basic/virt.c +index cc95097101..f750a0463f 100644 +--- a/src/basic/virt.c ++++ b/src/basic/virt.c +@@ -143,7 +143,8 @@ static int detect_vm_dmi_vendor(void) { + "/sys/class/dmi/id/product_name", /* Test this before sys_vendor to detect KVM over QEMU */ + "/sys/class/dmi/id/sys_vendor", + "/sys/class/dmi/id/board_vendor", +- "/sys/class/dmi/id/bios_vendor" ++ "/sys/class/dmi/id/bios_vendor", ++ "/sys/class/dmi/id/product_version" /* For Hyper-V VMs test */ + }; + + static const struct { +@@ -162,7 +163,7 @@ static int detect_vm_dmi_vendor(void) { + { "Parallels", VIRTUALIZATION_PARALLELS }, + /* https://wiki.freebsd.org/bhyve */ + { "BHYVE", VIRTUALIZATION_BHYVE }, +- { "Microsoft", VIRTUALIZATION_MICROSOFT }, ++ { "Hyper-V", VIRTUALIZATION_MICROSOFT }, + }; + unsigned i; + int r; diff --git a/SOURCES/0860-basic-add-STRERROR-wrapper-for-strerror_r.patch b/SOURCES/0860-basic-add-STRERROR-wrapper-for-strerror_r.patch new file mode 100644 index 0000000..4d1c5e5 --- /dev/null +++ b/SOURCES/0860-basic-add-STRERROR-wrapper-for-strerror_r.patch @@ -0,0 +1,98 @@ +From 9c95d8dda42de288a57638a44dd5ea967469063d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Fri, 7 Oct 2022 12:28:31 +0200 +Subject: [PATCH] basic: add STRERROR() wrapper for strerror_r() + +(cherry picked from commit 2c5d05b3cd986568105d67891e4010b868dea24f) + +Related: #2155520 +--- + src/basic/util.h | 10 ++++++++++ + src/test/test-util.c | 40 ++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 50 insertions(+) + +diff --git a/src/basic/util.h b/src/basic/util.h +index 76b76d7e91..195f02cf5f 100644 +--- a/src/basic/util.h ++++ b/src/basic/util.h +@@ -153,6 +153,16 @@ static inline void _reset_errno_(int *saved_errno) { + errno = *saved_errno; + } + ++/* strerror(3) says that glibc uses a maximum length of 1024 bytes. */ ++#define ERRNO_BUF_LEN 1024 ++ ++/* Note: the lifetime of the compound literal is the immediately surrounding block, ++ * see C11 §6.5.2.5, and ++ * https://stackoverflow.com/questions/34880638/compound-literal-lifetime-and-if-blocks ++ * ++ * Note that we use the GNU variant of strerror_r() here. */ ++#define STRERROR(errnum) strerror_r(abs(errnum), (char[ERRNO_BUF_LEN]){}, ERRNO_BUF_LEN) ++ + #define PROTECT_ERRNO _cleanup_(_reset_errno_) __attribute__((unused)) int _saved_errno_ = errno + + #define UNPROTECT_ERRNO \ +diff --git a/src/test/test-util.c b/src/test/test-util.c +index df60d89115..c93eaf7fc6 100644 +--- a/src/test/test-util.c ++++ b/src/test/test-util.c +@@ -12,6 +12,7 @@ + #include "process-util.h" + #include "raw-clone.h" + #include "rm-rf.h" ++#include "stdio-util.h" + #include "string-util.h" + #include "util.h" + +@@ -321,6 +322,42 @@ static void test_system_tasks_max_scale(void) { + assert_se(system_tasks_max_scale(UINT64_MAX/4, UINT64_MAX) == UINT64_MAX); + } + ++static void test_strerror_not_threadsafe(void) { ++ /* Just check that strerror really is not thread-safe. */ ++ log_info("strerror(%d) → %s", 200, strerror(200)); ++ log_info("strerror(%d) → %s", 201, strerror(201)); ++ log_info("strerror(%d) → %s", INT_MAX, strerror(INT_MAX)); ++ ++ log_info("strerror(%d), strerror(%d) → %p, %p", 200, 201, strerror(200), strerror(201)); ++ ++ /* This call is not allowed, because the first returned string becomes invalid when ++ * we call strerror the second time: ++ * ++ * log_info("strerror(%d), strerror(%d) → %s, %s", 200, 201, strerror(200), strerror(201)); ++ */ ++} ++ ++static void test_STRERROR(void) { ++ /* Just check that STRERROR really is thread-safe. */ ++ log_info("STRERROR(%d) → %s", 200, STRERROR(200)); ++ log_info("STRERROR(%d) → %s", 201, STRERROR(201)); ++ log_info("STRERROR(%d), STRERROR(%d) → %s, %s", 200, 201, STRERROR(200), STRERROR(201)); ++ ++ const char *a = STRERROR(200), *b = STRERROR(201); ++ assert_se(strstr(a, "200")); ++ assert_se(strstr(b, "201")); ++ ++ /* Check with negative values */ ++ assert_se(streq(a, STRERROR(-200))); ++ assert_se(streq(b, STRERROR(-201))); ++ ++ const char *c = STRERROR(INT_MAX); ++ char buf[DECIMAL_STR_MAX(int)]; ++ xsprintf(buf, "%d", INT_MAX); /* INT_MAX is hexadecimal, use printf to convert to decimal */ ++ log_info("STRERROR(%d) → %s", INT_MAX, c); ++ assert_se(strstr(c, buf)); ++} ++ + int main(int argc, char *argv[]) { + log_parse_environment(); + log_open(); +@@ -340,5 +377,8 @@ int main(int argc, char *argv[]) { + test_system_tasks_max(); + test_system_tasks_max_scale(); + ++ test_strerror_not_threadsafe(); ++ test_STRERROR(); ++ + return 0; + } diff --git a/SOURCES/0861-coredump-put-context-array-into-a-struct.patch b/SOURCES/0861-coredump-put-context-array-into-a-struct.patch new file mode 100644 index 0000000..75029e7 --- /dev/null +++ b/SOURCES/0861-coredump-put-context-array-into-a-struct.patch @@ -0,0 +1,529 @@ +From f53c6620c55488e2a3bd92957b21b6b95a7a3d35 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Thu, 12 Jan 2023 15:47:09 +0100 +Subject: [PATCH] coredump: put context array into a struct + +[dtardon: This is based on commit f46c706bdd4316ae8ed6baf7a8c382b90b84f648 , +but does just the minimal change to introduce the Context struct that is +needed by the following commit.] + +Related: #2155520 +--- + src/coredump/coredump.c | 208 +++++++++++++++++++++------------------- + 1 file changed, 108 insertions(+), 100 deletions(-) + +diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c +index fb3a6ecfe9..ebc56d8342 100644 +--- a/src/coredump/coredump.c ++++ b/src/coredump/coredump.c +@@ -91,6 +91,10 @@ enum { + _CONTEXT_MAX + }; + ++typedef struct Context { ++ const char *meta[_CONTEXT_MAX]; ++} Context; ++ + typedef enum CoredumpStorage { + COREDUMP_STORAGE_NONE, + COREDUMP_STORAGE_EXTERNAL, +@@ -184,7 +188,7 @@ static int fix_acl(int fd, uid_t uid) { + return 0; + } + +-static int fix_xattr(int fd, const char *context[_CONTEXT_MAX]) { ++static int fix_xattr(int fd, const Context *context) { + + static const char * const xattrs[_CONTEXT_MAX] = { + [CONTEXT_PID] = "user.coredump.pid", +@@ -209,10 +213,10 @@ static int fix_xattr(int fd, const char *context[_CONTEXT_MAX]) { + for (i = 0; i < _CONTEXT_MAX; i++) { + int k; + +- if (isempty(context[i]) || !xattrs[i]) ++ if (isempty(context->meta[i]) || !xattrs[i]) + continue; + +- k = fsetxattr(fd, xattrs[i], context[i], strlen(context[i]), XATTR_CREATE); ++ k = fsetxattr(fd, xattrs[i], context->meta[i], strlen(context->meta[i]), XATTR_CREATE); + if (k < 0 && r == 0) + r = -errno; + } +@@ -230,7 +234,7 @@ static int fix_permissions( + int fd, + const char *filename, + const char *target, +- const char *context[_CONTEXT_MAX], ++ const Context *context, + uid_t uid) { + + int r; +@@ -273,18 +277,18 @@ static int maybe_remove_external_coredump(const char *filename, uint64_t size) { + return 1; + } + +-static int make_filename(const char *context[_CONTEXT_MAX], char **ret) { ++static int make_filename(const Context *context, char **ret) { + _cleanup_free_ char *c = NULL, *u = NULL, *p = NULL, *t = NULL; + sd_id128_t boot = {}; + int r; + + assert(context); + +- c = filename_escape(context[CONTEXT_COMM]); ++ c = filename_escape(context->meta[CONTEXT_COMM]); + if (!c) + return -ENOMEM; + +- u = filename_escape(context[CONTEXT_UID]); ++ u = filename_escape(context->meta[CONTEXT_UID]); + if (!u) + return -ENOMEM; + +@@ -292,11 +296,11 @@ static int make_filename(const char *context[_CONTEXT_MAX], char **ret) { + if (r < 0) + return r; + +- p = filename_escape(context[CONTEXT_PID]); ++ p = filename_escape(context->meta[CONTEXT_PID]); + if (!p) + return -ENOMEM; + +- t = filename_escape(context[CONTEXT_TIMESTAMP]); ++ t = filename_escape(context->meta[CONTEXT_TIMESTAMP]); + if (!t) + return -ENOMEM; + +@@ -313,7 +317,7 @@ static int make_filename(const char *context[_CONTEXT_MAX], char **ret) { + } + + static int save_external_coredump( +- const char *context[_CONTEXT_MAX], ++ const Context *context, + int input_fd, + char **ret_filename, + int *ret_node_fd, +@@ -334,19 +338,19 @@ static int save_external_coredump( + assert(ret_data_fd); + assert(ret_size); + +- r = parse_uid(context[CONTEXT_UID], &uid); ++ r = parse_uid(context->meta[CONTEXT_UID], &uid); + if (r < 0) + return log_error_errno(r, "Failed to parse UID: %m"); + +- r = safe_atou64(context[CONTEXT_RLIMIT], &rlimit); ++ r = safe_atou64(context->meta[CONTEXT_RLIMIT], &rlimit); + if (r < 0) +- return log_error_errno(r, "Failed to parse resource limit: %s", context[CONTEXT_RLIMIT]); ++ return log_error_errno(r, "Failed to parse resource limit: %s", context->meta[CONTEXT_RLIMIT]); + if (rlimit < page_size()) { + /* Is coredumping disabled? Then don't bother saving/processing the coredump. + * Anything below PAGE_SIZE cannot give a readable coredump (the kernel uses + * ELF_EXEC_PAGESIZE which is not easily accessible, but is usually the same as PAGE_SIZE. */ + log_info("Resource limits disable core dumping for process %s (%s).", +- context[CONTEXT_PID], context[CONTEXT_COMM]); ++ context->meta[CONTEXT_PID], context->meta[CONTEXT_COMM]); + return -EBADSLT; + } + +@@ -371,7 +375,7 @@ static int save_external_coredump( + + r = copy_bytes(input_fd, fd, max_size, 0); + if (r < 0) { +- log_error_errno(r, "Cannot store coredump of %s (%s): %m", context[CONTEXT_PID], context[CONTEXT_COMM]); ++ log_error_errno(r, "Cannot store coredump of %s (%s): %m", context->meta[CONTEXT_PID], context->meta[CONTEXT_COMM]); + goto fail; + } + *ret_truncated = r == 1; +@@ -659,12 +663,12 @@ static int get_process_container_parent_cmdline(pid_t pid, char** cmdline) { + return 1; + } + +-static int change_uid_gid(const char *context[]) { ++static int change_uid_gid(const Context *context) { + uid_t uid; + gid_t gid; + int r; + +- r = parse_uid(context[CONTEXT_UID], &uid); ++ r = parse_uid(context->meta[CONTEXT_UID], &uid); + if (r < 0) + return r; + +@@ -677,7 +681,7 @@ static int change_uid_gid(const char *context[]) { + uid = gid = 0; + } + } else { +- r = parse_gid(context[CONTEXT_GID], &gid); ++ r = parse_gid(context->meta[CONTEXT_GID], &gid); + if (r < 0) + return r; + } +@@ -685,23 +689,23 @@ static int change_uid_gid(const char *context[]) { + return drop_privileges(uid, gid, 0); + } + +-static bool is_journald_crash(const char *context[_CONTEXT_MAX]) { ++static bool is_journald_crash(const Context *context) { + assert(context); + +- return streq_ptr(context[CONTEXT_UNIT], SPECIAL_JOURNALD_SERVICE); ++ return streq_ptr(context->meta[CONTEXT_UNIT], SPECIAL_JOURNALD_SERVICE); + } + +-static bool is_pid1_crash(const char *context[_CONTEXT_MAX]) { ++static bool is_pid1_crash(const Context *context) { + assert(context); + +- return streq_ptr(context[CONTEXT_UNIT], SPECIAL_INIT_SCOPE) || +- streq_ptr(context[CONTEXT_PID], "1"); ++ return streq_ptr(context->meta[CONTEXT_UNIT], SPECIAL_INIT_SCOPE) || ++ streq_ptr(context->meta[CONTEXT_PID], "1"); + } + + #define SUBMIT_COREDUMP_FIELDS 4 + + static int submit_coredump( +- const char *context[_CONTEXT_MAX], ++ Context *context, + struct iovec *iovec, + size_t n_iovec_allocated, + size_t n_iovec, +@@ -760,11 +764,11 @@ static int submit_coredump( + if (coredump_size <= arg_process_size_max) { + _cleanup_free_ char *stacktrace = NULL; + +- r = coredump_make_stack_trace(coredump_fd, context[CONTEXT_EXE], &stacktrace); ++ r = coredump_make_stack_trace(coredump_fd, context->meta[CONTEXT_EXE], &stacktrace); + if (r >= 0) +- core_message = strjoin("MESSAGE=Process ", context[CONTEXT_PID], +- " (", context[CONTEXT_COMM], ") of user ", +- context[CONTEXT_UID], " dumped core.", ++ core_message = strjoin("MESSAGE=Process ", context->meta[CONTEXT_PID], ++ " (", context->meta[CONTEXT_COMM], ") of user ", ++ context->meta[CONTEXT_UID], " dumped core.", + journald_crash ? "\nCoredump diverted to " : "", + journald_crash ? filename : "", + "\n\n", stacktrace); +@@ -779,9 +783,9 @@ static int submit_coredump( + if (!core_message) + #endif + log: +- core_message = strjoin("MESSAGE=Process ", context[CONTEXT_PID], +- " (", context[CONTEXT_COMM], ") of user ", +- context[CONTEXT_UID], " dumped core.", ++ core_message = strjoin("MESSAGE=Process ", context->meta[CONTEXT_PID], ++ " (", context->meta[CONTEXT_COMM], ") of user ", ++ context->meta[CONTEXT_UID], " dumped core.", + journald_crash && filename ? "\nCoredump diverted to " : NULL, + journald_crash && filename ? filename : NULL); + if (!core_message) +@@ -826,7 +830,7 @@ log: + return 0; + } + +-static void map_context_fields(const struct iovec *iovec, const char* context[]) { ++static void map_context_fields(const struct iovec *iovec, Context *context) { + + static const char * const context_field_names[] = { + [CONTEXT_PID] = "COREDUMP_PID=", +@@ -857,7 +861,7 @@ static void map_context_fields(const struct iovec *iovec, const char* context[]) + + /* Note that these strings are NUL terminated, because we made sure that a trailing NUL byte is in the + * buffer, though not included in the iov_len count. (see below) */ +- context[i] = p; ++ context->meta[i] = p; + break; + } + } +@@ -866,7 +870,7 @@ static int process_socket(int fd) { + _cleanup_close_ int coredump_fd = -1; + struct iovec *iovec = NULL; + size_t n_iovec = 0, n_allocated = 0, i, k; +- const char *context[_CONTEXT_MAX] = {}; ++ Context context = {}; + int r; + + assert(fd >= 0); +@@ -950,7 +954,7 @@ static int process_socket(int fd) { + iovec[n_iovec].iov_len = (size_t) n; + + cmsg_close_all(&mh); +- map_context_fields(iovec + n_iovec, context); ++ map_context_fields(iovec + n_iovec, &context); + n_iovec++; + } + +@@ -960,24 +964,24 @@ static int process_socket(int fd) { + } + + /* Make sure we got all data we really need */ +- assert(context[CONTEXT_PID]); +- assert(context[CONTEXT_UID]); +- assert(context[CONTEXT_GID]); +- assert(context[CONTEXT_SIGNAL]); +- assert(context[CONTEXT_TIMESTAMP]); +- assert(context[CONTEXT_RLIMIT]); +- assert(context[CONTEXT_HOSTNAME]); +- assert(context[CONTEXT_COMM]); ++ assert(context.meta[CONTEXT_PID]); ++ assert(context.meta[CONTEXT_UID]); ++ assert(context.meta[CONTEXT_GID]); ++ assert(context.meta[CONTEXT_SIGNAL]); ++ assert(context.meta[CONTEXT_TIMESTAMP]); ++ assert(context.meta[CONTEXT_RLIMIT]); ++ assert(context.meta[CONTEXT_HOSTNAME]); ++ assert(context.meta[CONTEXT_COMM]); + assert(coredump_fd >= 0); + + /* Small quirk: the journal fields contain the timestamp padded with six zeroes, so that the kernel-supplied 1s + * granularity timestamps becomes 1µs granularity, i.e. the granularity systemd usually operates in. Since we + * are reconstructing the original kernel context, we chop this off again, here. */ +- k = strlen(context[CONTEXT_TIMESTAMP]); ++ k = strlen(context.meta[CONTEXT_TIMESTAMP]); + if (k > 6) +- context[CONTEXT_TIMESTAMP] = strndupa(context[CONTEXT_TIMESTAMP], k - 6); ++ context.meta[CONTEXT_TIMESTAMP] = strndupa(context.meta[CONTEXT_TIMESTAMP], k - 6); + +- r = submit_coredump(context, iovec, n_allocated, n_iovec, coredump_fd); ++ r = submit_coredump(&context, iovec, n_allocated, n_iovec, coredump_fd); + + finish: + for (i = 0; i < n_iovec; i++) +@@ -1062,7 +1066,7 @@ static char* set_iovec_field_free(struct iovec *iovec, size_t *n_iovec, const ch + } + + static int gather_pid_metadata( +- char* context[_CONTEXT_MAX], ++ Context *context, + char **comm_fallback, + struct iovec *iovec, size_t *n_iovec) { + +@@ -1077,65 +1081,69 @@ static int gather_pid_metadata( + const char *p; + int r, signo; + +- r = parse_pid(context[CONTEXT_PID], &pid); ++ r = parse_pid(context->meta[CONTEXT_PID], &pid); + if (r < 0) +- return log_error_errno(r, "Failed to parse PID \"%s\": %m", context[CONTEXT_PID]); ++ return log_error_errno(r, "Failed to parse PID \"%s\": %m", context->meta[CONTEXT_PID]); + +- r = get_process_comm(pid, &context[CONTEXT_COMM]); ++ r = get_process_comm(pid, &t); + if (r < 0) { + log_warning_errno(r, "Failed to get COMM, falling back to the command line: %m"); +- context[CONTEXT_COMM] = strv_join(comm_fallback, " "); +- if (!context[CONTEXT_COMM]) ++ context->meta[CONTEXT_COMM] = strv_join(comm_fallback, " "); ++ if (!context->meta[CONTEXT_COMM]) + return log_oom(); +- } ++ } else ++ context->meta[CONTEXT_COMM] = t; + +- r = get_process_exe(pid, &context[CONTEXT_EXE]); ++ r = get_process_exe(pid, &t); + if (r < 0) + log_warning_errno(r, "Failed to get EXE, ignoring: %m"); ++ else ++ context->meta[CONTEXT_EXE] = t; + +- if (cg_pid_get_unit(pid, &context[CONTEXT_UNIT]) >= 0) { +- if (!is_journald_crash((const char**) context)) { ++ if (cg_pid_get_unit(pid, &t) >= 0) { ++ if (!is_journald_crash(context)) { + /* OK, now we know it's not the journal, hence we can make use of it now. */ + log_set_target(LOG_TARGET_JOURNAL_OR_KMSG); + log_open(); + } + + /* If this is PID 1 disable coredump collection, we'll unlikely be able to process it later on. */ +- if (is_pid1_crash((const char**) context)) { ++ if (is_pid1_crash(context)) { + log_notice("Due to PID 1 having crashed coredump collection will now be turned off."); + disable_coredumps(); + } + +- set_iovec_string_field(iovec, n_iovec, "COREDUMP_UNIT=", context[CONTEXT_UNIT]); +- } ++ set_iovec_string_field(iovec, n_iovec, "COREDUMP_UNIT=", context->meta[CONTEXT_UNIT]); ++ } else ++ context->meta[CONTEXT_UNIT] = t; + + if (cg_pid_get_user_unit(pid, &t) >= 0) + set_iovec_field_free(iovec, n_iovec, "COREDUMP_USER_UNIT=", t); + + /* The next few are mandatory */ +- if (!set_iovec_string_field(iovec, n_iovec, "COREDUMP_PID=", context[CONTEXT_PID])) ++ if (!set_iovec_string_field(iovec, n_iovec, "COREDUMP_PID=", context->meta[CONTEXT_PID])) + return log_oom(); + +- if (!set_iovec_string_field(iovec, n_iovec, "COREDUMP_UID=", context[CONTEXT_UID])) ++ if (!set_iovec_string_field(iovec, n_iovec, "COREDUMP_UID=", context->meta[CONTEXT_UID])) + return log_oom(); + +- if (!set_iovec_string_field(iovec, n_iovec, "COREDUMP_GID=", context[CONTEXT_GID])) ++ if (!set_iovec_string_field(iovec, n_iovec, "COREDUMP_GID=", context->meta[CONTEXT_GID])) + return log_oom(); + +- if (!set_iovec_string_field(iovec, n_iovec, "COREDUMP_SIGNAL=", context[CONTEXT_SIGNAL])) ++ if (!set_iovec_string_field(iovec, n_iovec, "COREDUMP_SIGNAL=", context->meta[CONTEXT_SIGNAL])) + return log_oom(); + +- if (!set_iovec_string_field(iovec, n_iovec, "COREDUMP_RLIMIT=", context[CONTEXT_RLIMIT])) ++ if (!set_iovec_string_field(iovec, n_iovec, "COREDUMP_RLIMIT=", context->meta[CONTEXT_RLIMIT])) + return log_oom(); + +- if (!set_iovec_string_field(iovec, n_iovec, "COREDUMP_HOSTNAME=", context[CONTEXT_HOSTNAME])) ++ if (!set_iovec_string_field(iovec, n_iovec, "COREDUMP_HOSTNAME=", context->meta[CONTEXT_HOSTNAME])) + return log_oom(); + +- if (!set_iovec_string_field(iovec, n_iovec, "COREDUMP_COMM=", context[CONTEXT_COMM])) ++ if (!set_iovec_string_field(iovec, n_iovec, "COREDUMP_COMM=", context->meta[CONTEXT_COMM])) + return log_oom(); + +- if (context[CONTEXT_EXE] && +- !set_iovec_string_field(iovec, n_iovec, "COREDUMP_EXE=", context[CONTEXT_EXE])) ++ if (context->meta[CONTEXT_EXE] && ++ !set_iovec_string_field(iovec, n_iovec, "COREDUMP_EXE=", context->meta[CONTEXT_EXE])) + return log_oom(); + + if (sd_pid_get_session(pid, &t) >= 0) +@@ -1198,11 +1206,11 @@ static int gather_pid_metadata( + if (get_process_environ(pid, &t) >= 0) + set_iovec_field_free(iovec, n_iovec, "COREDUMP_ENVIRON=", t); + +- t = strjoin("COREDUMP_TIMESTAMP=", context[CONTEXT_TIMESTAMP], "000000"); ++ t = strjoin("COREDUMP_TIMESTAMP=", context->meta[CONTEXT_TIMESTAMP], "000000"); + if (t) + iovec[(*n_iovec)++] = IOVEC_MAKE_STRING(t); + +- if (safe_atoi(context[CONTEXT_SIGNAL], &signo) >= 0 && SIGNAL_VALID(signo)) ++ if (safe_atoi(context->meta[CONTEXT_SIGNAL], &signo) >= 0 && SIGNAL_VALID(signo)) + set_iovec_string_field(iovec, n_iovec, "COREDUMP_SIGNAL_NAME=SIG", signal_to_string(signo)); + + return 0; /* we successfully acquired all metadata */ +@@ -1210,7 +1218,7 @@ static int gather_pid_metadata( + + static int process_kernel(int argc, char* argv[]) { + +- char* context[_CONTEXT_MAX] = {}; ++ Context context = {}; + struct iovec iovec[29 + SUBMIT_COREDUMP_FIELDS]; + size_t i, n_iovec, n_to_free = 0; + int r; +@@ -1222,15 +1230,15 @@ static int process_kernel(int argc, char* argv[]) { + return -EINVAL; + } + +- context[CONTEXT_PID] = argv[1 + CONTEXT_PID]; +- context[CONTEXT_UID] = argv[1 + CONTEXT_UID]; +- context[CONTEXT_GID] = argv[1 + CONTEXT_GID]; +- context[CONTEXT_SIGNAL] = argv[1 + CONTEXT_SIGNAL]; +- context[CONTEXT_TIMESTAMP] = argv[1 + CONTEXT_TIMESTAMP]; +- context[CONTEXT_RLIMIT] = argv[1 + CONTEXT_RLIMIT]; +- context[CONTEXT_HOSTNAME] = argv[1 + CONTEXT_HOSTNAME]; ++ context.meta[CONTEXT_PID] = argv[1 + CONTEXT_PID]; ++ context.meta[CONTEXT_UID] = argv[1 + CONTEXT_UID]; ++ context.meta[CONTEXT_GID] = argv[1 + CONTEXT_GID]; ++ context.meta[CONTEXT_SIGNAL] = argv[1 + CONTEXT_SIGNAL]; ++ context.meta[CONTEXT_TIMESTAMP] = argv[1 + CONTEXT_TIMESTAMP]; ++ context.meta[CONTEXT_RLIMIT] = argv[1 + CONTEXT_RLIMIT]; ++ context.meta[CONTEXT_HOSTNAME] = argv[1 + CONTEXT_HOSTNAME]; + +- r = gather_pid_metadata(context, argv + 1 + CONTEXT_COMM, iovec, &n_to_free); ++ r = gather_pid_metadata(&context, argv + 1 + CONTEXT_COMM, iovec, &n_to_free); + if (r < 0) + goto finish; + +@@ -1243,8 +1251,8 @@ static int process_kernel(int argc, char* argv[]) { + + assert(n_iovec <= ELEMENTSOF(iovec)); + +- if (is_journald_crash((const char**) context) || is_pid1_crash((const char**) context)) +- r = submit_coredump((const char**) context, ++ if (is_journald_crash(&context) || is_pid1_crash(&context)) ++ r = submit_coredump(&context, + iovec, ELEMENTSOF(iovec), n_iovec, + STDIN_FILENO); + else +@@ -1255,15 +1263,15 @@ static int process_kernel(int argc, char* argv[]) { + free(iovec[i].iov_base); + + /* Those fields are allocated by gather_pid_metadata */ +- free(context[CONTEXT_COMM]); +- free(context[CONTEXT_EXE]); +- free(context[CONTEXT_UNIT]); ++ free((char *) context.meta[CONTEXT_COMM]); ++ free((char *) context.meta[CONTEXT_EXE]); ++ free((char *) context.meta[CONTEXT_UNIT]); + + return r; + } + + static int process_backtrace(int argc, char *argv[]) { +- char *context[_CONTEXT_MAX] = {}; ++ Context context = {}; + _cleanup_free_ char *message = NULL; + _cleanup_free_ struct iovec *iovec = NULL; + size_t n_iovec, n_allocated, n_to_free = 0, i; +@@ -1279,13 +1287,13 @@ static int process_backtrace(int argc, char *argv[]) { + return -EINVAL; + } + +- context[CONTEXT_PID] = argv[2 + CONTEXT_PID]; +- context[CONTEXT_UID] = argv[2 + CONTEXT_UID]; +- context[CONTEXT_GID] = argv[2 + CONTEXT_GID]; +- context[CONTEXT_SIGNAL] = argv[2 + CONTEXT_SIGNAL]; +- context[CONTEXT_TIMESTAMP] = argv[2 + CONTEXT_TIMESTAMP]; +- context[CONTEXT_RLIMIT] = argv[2 + CONTEXT_RLIMIT]; +- context[CONTEXT_HOSTNAME] = argv[2 + CONTEXT_HOSTNAME]; ++ context.meta[CONTEXT_PID] = argv[2 + CONTEXT_PID]; ++ context.meta[CONTEXT_UID] = argv[2 + CONTEXT_UID]; ++ context.meta[CONTEXT_GID] = argv[2 + CONTEXT_GID]; ++ context.meta[CONTEXT_SIGNAL] = argv[2 + CONTEXT_SIGNAL]; ++ context.meta[CONTEXT_TIMESTAMP] = argv[2 + CONTEXT_TIMESTAMP]; ++ context.meta[CONTEXT_RLIMIT] = argv[2 + CONTEXT_RLIMIT]; ++ context.meta[CONTEXT_HOSTNAME] = argv[2 + CONTEXT_HOSTNAME]; + + n_allocated = 34 + COREDUMP_STORAGE_EXTERNAL; + /* 26 metadata, 2 static, +unknown input, 4 storage, rounded up */ +@@ -1293,7 +1301,7 @@ static int process_backtrace(int argc, char *argv[]) { + if (!iovec) + return log_oom(); + +- r = gather_pid_metadata(context, argv + 2 + CONTEXT_COMM, iovec, &n_to_free); ++ r = gather_pid_metadata(&context, argv + 2 + CONTEXT_COMM, iovec, &n_to_free); + if (r < 0) + goto finish; + if (r > 0) { +@@ -1320,10 +1328,10 @@ static int process_backtrace(int argc, char *argv[]) { + if (journal_importer_eof(&importer)) { + log_warning("Did not receive a full journal entry on stdin, ignoring message sent by reporter"); + +- message = strjoin("MESSAGE=Process ", context[CONTEXT_PID], +- " (", context[CONTEXT_COMM], ")" +- " of user ", context[CONTEXT_UID], +- " failed with ", context[CONTEXT_SIGNAL]); ++ message = strjoin("MESSAGE=Process ", context.meta[CONTEXT_PID], ++ " (", context.meta[CONTEXT_COMM], ")" ++ " of user ", context.meta[CONTEXT_UID], ++ " failed with ", context.meta[CONTEXT_SIGNAL]); + if (!message) { + r = log_oom(); + goto finish; +@@ -1349,9 +1357,9 @@ static int process_backtrace(int argc, char *argv[]) { + free(iovec[i].iov_base); + + /* Those fields are allocated by gather_pid_metadata */ +- free(context[CONTEXT_COMM]); +- free(context[CONTEXT_EXE]); +- free(context[CONTEXT_UNIT]); ++ free((char *) context.meta[CONTEXT_COMM]); ++ free((char *) context.meta[CONTEXT_EXE]); ++ free((char *) context.meta[CONTEXT_UNIT]); + + return r; + } diff --git a/SOURCES/0862-coredump-do-not-allow-user-to-access-coredumps-with-.patch b/SOURCES/0862-coredump-do-not-allow-user-to-access-coredumps-with-.patch new file mode 100644 index 0000000..707bdda --- /dev/null +++ b/SOURCES/0862-coredump-do-not-allow-user-to-access-coredumps-with-.patch @@ -0,0 +1,354 @@ +From d178865d3d9940423f4d99360e3dc2fcaf0b2c96 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 28 Nov 2022 12:12:55 +0100 +Subject: [PATCH] coredump: do not allow user to access coredumps with changed + uid/gid/capabilities + +When the user starts a program which elevates its permissions via setuid, +setgid, or capabilities set on the file, it may access additional information +which would then be visible in the coredump. We shouldn't make the the coredump +visible to the user in such cases. + +Reported-by: Matthias Gerstner + +This reads the /proc//auxv file and attaches it to the process metadata as +PROC_AUXV. Before the coredump is submitted, it is parsed and if either +at_secure was set (which the kernel will do for processes that are setuid, +setgid, or setcap), or if the effective uid/gid don't match uid/gid, the file +is not made accessible to the user. If we can't access this data, we assume the +file should not be made accessible either. In principle we could also access +the auxv data from a note in the core file, but that is much more complex and +it seems better to use the stand-alone file that is provided by the kernel. + +Attaching auxv is both convient for this patch (because this way it's passed +between the stages along with other fields), but I think it makes sense to save +it in general. + +We use the information early in the core file to figure out if the program was +32-bit or 64-bit and its endianness. This way we don't need heuristics to guess +whether the format of the auxv structure. This test might reject some cases on +fringe architecutes. But the impact would be limited: we just won't grant the +user permissions to view the coredump file. If people report that we're missing +some cases, we can always enhance this to support more architectures. + +I tested auxv parsing on amd64, 32-bit program on amd64, arm64, arm32, and +ppc64el, but not the whole coredump handling. + +(cherry picked from commit 3e4d0f6cf99f8677edd6a237382a65bfe758de03) + +Resolves: #2155520 +--- + src/coredump/coredump.c | 190 ++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 182 insertions(+), 8 deletions(-) + +diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c +index ebc56d8342..d8acd2d3a7 100644 +--- a/src/coredump/coredump.c ++++ b/src/coredump/coredump.c +@@ -4,6 +4,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -88,11 +89,13 @@ enum { + CONTEXT_COMM, + CONTEXT_EXE, + CONTEXT_UNIT, ++ CONTEXT_PROC_AUXV, + _CONTEXT_MAX + }; + + typedef struct Context { + const char *meta[_CONTEXT_MAX]; ++ size_t meta_size[_CONTEXT_MAX]; + } Context; + + typedef enum CoredumpStorage { +@@ -148,8 +151,7 @@ static inline uint64_t storage_size_max(void) { + return 0; + } + +-static int fix_acl(int fd, uid_t uid) { +- ++static int fix_acl(int fd, uid_t uid, bool allow_user) { + #if HAVE_ACL + _cleanup_(acl_freep) acl_t acl = NULL; + acl_entry_t entry; +@@ -157,6 +159,11 @@ static int fix_acl(int fd, uid_t uid) { + int r; + + assert(fd >= 0); ++ assert(uid_is_valid(uid)); ++ ++ /* We don't allow users to read coredumps if the uid or capabilities were changed. */ ++ if (!allow_user) ++ return 0; + + if (uid_is_system(uid) || uid_is_dynamic(uid) || uid == UID_NOBODY) + return 0; +@@ -235,7 +242,8 @@ static int fix_permissions( + const char *filename, + const char *target, + const Context *context, +- uid_t uid) { ++ uid_t uid, ++ bool allow_user) { + + int r; + +@@ -245,7 +253,7 @@ static int fix_permissions( + + /* Ignore errors on these */ + (void) fchmod(fd, 0640); +- (void) fix_acl(fd, uid); ++ (void) fix_acl(fd, uid, allow_user); + (void) fix_xattr(fd, context); + + if (fsync(fd) < 0) +@@ -316,6 +324,154 @@ static int make_filename(const Context *context, char **ret) { + return 0; + } + ++static int parse_auxv64( ++ const uint64_t *auxv, ++ size_t size_bytes, ++ int *at_secure, ++ uid_t *uid, ++ uid_t *euid, ++ gid_t *gid, ++ gid_t *egid) { ++ ++ assert(auxv || size_bytes == 0); ++ ++ if (size_bytes % (2 * sizeof(uint64_t)) != 0) ++ return log_warning_errno(-EIO, "Incomplete auxv structure (%zu bytes).", size_bytes); ++ ++ size_t words = size_bytes / sizeof(uint64_t); ++ ++ /* Note that we set output variables even on error. */ ++ ++ for (size_t i = 0; i + 1 < words; i += 2) ++ switch (auxv[i]) { ++ case AT_SECURE: ++ *at_secure = auxv[i + 1] != 0; ++ break; ++ case AT_UID: ++ *uid = auxv[i + 1]; ++ break; ++ case AT_EUID: ++ *euid = auxv[i + 1]; ++ break; ++ case AT_GID: ++ *gid = auxv[i + 1]; ++ break; ++ case AT_EGID: ++ *egid = auxv[i + 1]; ++ break; ++ case AT_NULL: ++ if (auxv[i + 1] != 0) ++ goto error; ++ return 0; ++ } ++ error: ++ return log_warning_errno(-ENODATA, ++ "AT_NULL terminator not found, cannot parse auxv structure."); ++} ++ ++static int parse_auxv32( ++ const uint32_t *auxv, ++ size_t size_bytes, ++ int *at_secure, ++ uid_t *uid, ++ uid_t *euid, ++ gid_t *gid, ++ gid_t *egid) { ++ ++ assert(auxv || size_bytes == 0); ++ ++ size_t words = size_bytes / sizeof(uint32_t); ++ ++ if (size_bytes % (2 * sizeof(uint32_t)) != 0) ++ return log_warning_errno(-EIO, "Incomplete auxv structure (%zu bytes).", size_bytes); ++ ++ /* Note that we set output variables even on error. */ ++ ++ for (size_t i = 0; i + 1 < words; i += 2) ++ switch (auxv[i]) { ++ case AT_SECURE: ++ *at_secure = auxv[i + 1] != 0; ++ break; ++ case AT_UID: ++ *uid = auxv[i + 1]; ++ break; ++ case AT_EUID: ++ *euid = auxv[i + 1]; ++ break; ++ case AT_GID: ++ *gid = auxv[i + 1]; ++ break; ++ case AT_EGID: ++ *egid = auxv[i + 1]; ++ break; ++ case AT_NULL: ++ if (auxv[i + 1] != 0) ++ goto error; ++ return 0; ++ } ++ error: ++ return log_warning_errno(-ENODATA, ++ "AT_NULL terminator not found, cannot parse auxv structure."); ++} ++ ++static int grant_user_access(int core_fd, const Context *context) { ++ int at_secure = -1; ++ uid_t uid = UID_INVALID, euid = UID_INVALID; ++ uid_t gid = GID_INVALID, egid = GID_INVALID; ++ int r; ++ ++ assert(core_fd >= 0); ++ assert(context); ++ ++ if (!context->meta[CONTEXT_PROC_AUXV]) ++ return log_warning_errno(-ENODATA, "No auxv data, not adjusting permissions."); ++ ++ uint8_t elf[EI_NIDENT]; ++ errno = 0; ++ if (pread(core_fd, &elf, sizeof(elf), 0) != sizeof(elf)) ++ return log_warning_errno(errno > 0 ? -errno : -EIO, ++ "Failed to pread from coredump fd: %s", ++ errno > 0 ? STRERROR(errno) : "Unexpected EOF"); ++ ++ if (elf[EI_MAG0] != ELFMAG0 || ++ elf[EI_MAG1] != ELFMAG1 || ++ elf[EI_MAG2] != ELFMAG2 || ++ elf[EI_MAG3] != ELFMAG3 || ++ elf[EI_VERSION] != EV_CURRENT) ++ return log_info_errno(-EUCLEAN, ++ "Core file does not have ELF header, not adjusting permissions."); ++ if (!IN_SET(elf[EI_CLASS], ELFCLASS32, ELFCLASS64) || ++ !IN_SET(elf[EI_DATA], ELFDATA2LSB, ELFDATA2MSB)) ++ return log_info_errno(-EUCLEAN, ++ "Core file has strange ELF class, not adjusting permissions."); ++ ++ if ((elf[EI_DATA] == ELFDATA2LSB) != (__BYTE_ORDER == __LITTLE_ENDIAN)) ++ return log_info_errno(-EUCLEAN, ++ "Core file has non-native endianness, not adjusting permissions."); ++ ++ if (elf[EI_CLASS] == ELFCLASS64) ++ r = parse_auxv64((const uint64_t*) context->meta[CONTEXT_PROC_AUXV], ++ context->meta_size[CONTEXT_PROC_AUXV], ++ &at_secure, &uid, &euid, &gid, &egid); ++ else ++ r = parse_auxv32((const uint32_t*) context->meta[CONTEXT_PROC_AUXV], ++ context->meta_size[CONTEXT_PROC_AUXV], ++ &at_secure, &uid, &euid, &gid, &egid); ++ if (r < 0) ++ return r; ++ ++ /* We allow access if we got all the data and at_secure is not set and ++ * the uid/gid matches euid/egid. */ ++ bool ret = ++ at_secure == 0 && ++ uid != UID_INVALID && euid != UID_INVALID && uid == euid && ++ gid != GID_INVALID && egid != GID_INVALID && gid == egid; ++ log_debug("Will %s access (uid="UID_FMT " euid="UID_FMT " gid="GID_FMT " egid="GID_FMT " at_secure=%s)", ++ ret ? "permit" : "restrict", ++ uid, euid, gid, egid, yes_no(at_secure)); ++ return ret; ++} ++ + static int save_external_coredump( + const Context *context, + int input_fd, +@@ -395,6 +551,8 @@ static int save_external_coredump( + goto fail; + } + ++ bool allow_user = grant_user_access(fd, context) > 0; ++ + #if HAVE_XZ || HAVE_LZ4 + /* If we will remove the coredump anyway, do not compress. */ + if (arg_compress && !maybe_remove_external_coredump(NULL, st.st_size)) { +@@ -420,7 +578,7 @@ static int save_external_coredump( + goto fail_compressed; + } + +- r = fix_permissions(fd_compressed, tmp_compressed, fn_compressed, context, uid); ++ r = fix_permissions(fd_compressed, tmp_compressed, fn_compressed, context, uid, allow_user); + if (r < 0) + goto fail_compressed; + +@@ -443,7 +601,7 @@ static int save_external_coredump( + uncompressed: + #endif + +- r = fix_permissions(fd, tmp, fn, context, uid); ++ r = fix_permissions(fd, tmp, fn, context, uid, allow_user); + if (r < 0) + goto fail; + +@@ -842,6 +1000,7 @@ static void map_context_fields(const struct iovec *iovec, Context *context) { + [CONTEXT_HOSTNAME] = "COREDUMP_HOSTNAME=", + [CONTEXT_COMM] = "COREDUMP_COMM=", + [CONTEXT_EXE] = "COREDUMP_EXE=", ++ [CONTEXT_PROC_AUXV] = "COREDUMP_PROC_AUXV=", + }; + + unsigned i; +@@ -862,6 +1021,7 @@ static void map_context_fields(const struct iovec *iovec, Context *context) { + /* Note that these strings are NUL terminated, because we made sure that a trailing NUL byte is in the + * buffer, though not included in the iov_len count. (see below) */ + context->meta[i] = p; ++ context->meta_size[i] = iovec->iov_len - strlen(context_field_names[i]); + break; + } + } +@@ -1070,7 +1230,7 @@ static int gather_pid_metadata( + char **comm_fallback, + struct iovec *iovec, size_t *n_iovec) { + +- /* We need 27 empty slots in iovec! ++ /* We need 28 empty slots in iovec! + * + * Note that if we fail on oom later on, we do not roll-back changes to the iovec structure. (It remains valid, + * with the first n_iovec fields initialized.) */ +@@ -1078,6 +1238,7 @@ static int gather_pid_metadata( + uid_t owner_uid; + pid_t pid; + char *t; ++ size_t size; + const char *p; + int r, signo; + +@@ -1187,6 +1348,19 @@ static int gather_pid_metadata( + if (read_full_file(p, &t, NULL) >=0) + set_iovec_field_free(iovec, n_iovec, "COREDUMP_PROC_MOUNTINFO=", t); + ++ /* We attach /proc/auxv here. ELF coredumps also contain a note for this (NT_AUXV), see elf(5). */ ++ p = procfs_file_alloca(pid, "auxv"); ++ if (read_full_file(p, &t, &size) >= 0) { ++ char *buf = malloc(strlen("COREDUMP_PROC_AUXV=") + size + 1); ++ if (buf) { ++ /* Add a dummy terminator to make save_context() happy. */ ++ *((uint8_t*) mempcpy(stpcpy(buf, "COREDUMP_PROC_AUXV="), t, size)) = '\0'; ++ iovec[(*n_iovec)++] = IOVEC_MAKE(buf, size + strlen("COREDUMP_PROC_AUXV=")); ++ } ++ ++ free(t); ++ } ++ + if (get_process_cwd(pid, &t) >= 0) + set_iovec_field_free(iovec, n_iovec, "COREDUMP_CWD=", t); + +@@ -1219,7 +1393,7 @@ static int gather_pid_metadata( + static int process_kernel(int argc, char* argv[]) { + + Context context = {}; +- struct iovec iovec[29 + SUBMIT_COREDUMP_FIELDS]; ++ struct iovec iovec[30 + SUBMIT_COREDUMP_FIELDS]; + size_t i, n_iovec, n_to_free = 0; + int r; + diff --git a/SPECS/systemd.spec b/SPECS/systemd.spec index 6079af7..d00e99d 100644 --- a/SPECS/systemd.spec +++ b/SPECS/systemd.spec @@ -13,7 +13,7 @@ Name: systemd Url: http://www.freedesktop.org/wiki/Software/systemd Version: 239 -Release: 70%{?dist} +Release: 71%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -903,6 +903,15 @@ Patch0850: 0850-virt-use-string-table-to-detect-VM-or-container.patch Patch0851: 0851-fileio-introduce-read_full_virtual_file-for-reading-.patch Patch0852: 0852-Use-BIOS-characteristics-to-distinguish-EC2-bare-met.patch Patch0853: 0853-device-drop-refuse_after.patch +Patch0854: 0854-manager-limit-access-to-private-dbus-socket.patch +Patch0855: 0855-journalctl-do-not-treat-EINTR-as-an-error-when-waiti.patch +Patch0856: 0856-core-bring-manager_startup-and-manager_reload-more-i.patch +Patch0857: 0857-pam-add-a-call-to-pam_namespace.patch +Patch0858: 0858-virt-Support-detection-for-ARM64-Hyper-V-guests.patch +Patch0859: 0859-virt-Fix-the-detection-for-Hyper-V-VMs.patch +Patch0860: 0860-basic-add-STRERROR-wrapper-for-strerror_r.patch +Patch0861: 0861-coredump-put-context-array-into-a-struct.patch +Patch0862: 0862-coredump-do-not-allow-user-to-access-coredumps-with-.patch %ifarch %{ix86} x86_64 aarch64 %global have_gnu_efi 1 @@ -1532,6 +1541,17 @@ fi %files tests -f .file-list-tests %changelog +* Tue Jan 31 2023 systemd maintenance team - 239-71 +- manager: limit access to private dbus socket (#2119405) +- journalctl: do not treat EINTR as an error when waiting for events (#2161683) +- core: bring manager_startup() and manager_reload() more inline (#2059633) +- pam: add a call to pam_namespace (#1861836) +- virt: Support detection for ARM64 Hyper-V guests (#2158307) +- virt: Fix the detection for Hyper-V VMs (#2158307) +- basic: add STRERROR() wrapper for strerror_r() (#2155520) +- coredump: put context array into a struct (#2155520) +- coredump: do not allow user to access coredumps with changed uid/gid/capabilities (#2155520) + * Mon Jan 16 2023 systemd maintenance team - 239-70 - basic: recognize pdfs filesystem as a network filesystem (#2094661) - core: move reset_arguments() to the end of main's finish (#2127131)