|
 |
17b0f1 |
From 6d9aff83ef5d50a65fad4f4218073bd4aa3e6902 Mon Sep 17 00:00:00 2001
|
|
|
17b0f1 |
From: Lennart Poettering <lennart@poettering.net>
|
|
|
17b0f1 |
Date: Tue, 10 Nov 2015 20:08:04 +0100
|
|
|
17b0f1 |
Subject: [PATCH] journald: never accept fds from file systems with mandatory
|
|
|
17b0f1 |
locking enabled
|
|
|
17b0f1 |
|
|
|
17b0f1 |
This is pretty much a work-around for a security vulnerability in
|
|
|
17b0f1 |
kernels that allow unprivileged user namespaces.
|
|
|
17b0f1 |
|
|
|
17b0f1 |
Fixes #1822.
|
|
|
17b0f1 |
|
|
|
17b0f1 |
Cherry-picked from: 1e603a482f57edb1fb863dbf23b868cf5854e004
|
|
|
17b0f1 |
Resolves: #1501017
|
|
|
17b0f1 |
---
|
|
|
17b0f1 |
src/journal/journald-native.c | 30 ++++++++++++++++++++++++++++++
|
|
|
17b0f1 |
1 file changed, 30 insertions(+)
|
|
|
17b0f1 |
|
|
|
17b0f1 |
diff --git a/src/journal/journald-native.c b/src/journal/journald-native.c
|
|
|
17b0f1 |
index 2c9cf6e7a8..fdb1a38ddc 100644
|
|
|
17b0f1 |
--- a/src/journal/journald-native.c
|
|
|
17b0f1 |
+++ b/src/journal/journald-native.c
|
|
|
17b0f1 |
@@ -23,6 +23,7 @@
|
|
|
17b0f1 |
#include <stddef.h>
|
|
|
17b0f1 |
#include <sys/epoll.h>
|
|
|
17b0f1 |
#include <sys/mman.h>
|
|
|
17b0f1 |
+#include <sys/statvfs.h>
|
|
|
17b0f1 |
|
|
|
17b0f1 |
#include "socket-util.h"
|
|
|
17b0f1 |
#include "path-util.h"
|
|
|
17b0f1 |
@@ -391,8 +392,37 @@ void server_process_native_file(
|
|
|
17b0f1 |
assert_se(munmap(p, ps) >= 0);
|
|
|
17b0f1 |
} else {
|
|
|
17b0f1 |
_cleanup_free_ void *p = NULL;
|
|
|
17b0f1 |
+ struct statvfs vfs;
|
|
|
17b0f1 |
ssize_t n;
|
|
|
17b0f1 |
|
|
|
17b0f1 |
+ if (fstatvfs(fd, &vfs) < 0) {
|
|
|
17b0f1 |
+ log_error_errno(errno, "Failed to stat file system of passed file, ignoring: %m");
|
|
|
17b0f1 |
+ return;
|
|
|
17b0f1 |
+ }
|
|
|
17b0f1 |
+
|
|
|
17b0f1 |
+ /* Refuse operating on file systems that have
|
|
|
17b0f1 |
+ * mandatory locking enabled, see:
|
|
|
17b0f1 |
+ *
|
|
|
17b0f1 |
+ * https://github.com/systemd/systemd/issues/1822
|
|
|
17b0f1 |
+ */
|
|
|
17b0f1 |
+ if (vfs.f_flag & ST_MANDLOCK) {
|
|
|
17b0f1 |
+ log_error("Received file descriptor from file system with mandatory locking enable, refusing.");
|
|
|
17b0f1 |
+ return;
|
|
|
17b0f1 |
+ }
|
|
|
17b0f1 |
+
|
|
|
17b0f1 |
+ /* Make the fd non-blocking. On regular files this has
|
|
|
17b0f1 |
+ * the effect of bypassing mandatory locking. Of
|
|
|
17b0f1 |
+ * course, this should normally not be necessary given
|
|
|
17b0f1 |
+ * the check above, but let's better be safe than
|
|
|
17b0f1 |
+ * sorry, after all NFS is pretty confusing regarding
|
|
|
17b0f1 |
+ * file system flags, and we better don't trust it,
|
|
|
17b0f1 |
+ * and so is SMB. */
|
|
|
17b0f1 |
+ r = fd_nonblock(fd, true);
|
|
|
17b0f1 |
+ if (r < 0) {
|
|
|
17b0f1 |
+ log_error_errno(r, "Failed to make fd non-blocking, ignoring: %m");
|
|
|
17b0f1 |
+ return;
|
|
|
17b0f1 |
+ }
|
|
|
17b0f1 |
+
|
|
|
17b0f1 |
/* The file is not sealed, we can't map the file here, since
|
|
|
17b0f1 |
* clients might then truncate it and trigger a SIGBUS for
|
|
|
17b0f1 |
* us. So let's stupidly read it */
|