Commit cf3b3bc7 authored by Michael Biebl's avatar Michael Biebl
Browse files

Fix ProtectSystem= to properly work with split /usr

Cherry-pick upstream commit to fix ProtectSystem=full and make the
ProtectSystem= option consider /bin, /sbin, /lib and /lib64 (if it
exists) on Debian systems.

Closes: #759689
parent f5d78072
......@@ -30,6 +30,9 @@ systemd (215-1) UNRELEASED; urgency=medium
* Disable factory-reset feature and remove files associated with it. This
feature needs more integration work first before it can be enabled in
Debian.
* Cherry-pick upstream commit to fix ProtectSystem=full and make the
ProtectSystem= option consider /bin, /sbin, /lib and /lib64 (if it exists)
on Debian systems. (Closes: #759689)
-- Michael Biebl <biebl@debian.org> Tue, 26 Aug 2014 12:09:10 +0200
......
From: Ansgar Burchardt <ansgar@debian.org>
Date: Thu, 24 Jul 2014 19:38:07 +0200
Subject: Include additional directories in ProtectSystem
---
src/core/namespace.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/core/namespace.c b/src/core/namespace.c
index 5466b7b..88f6448 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -372,7 +372,7 @@ int setup_namespace(
strv_length(inaccessible_dirs) +
private_dev +
(protect_home != PROTECT_HOME_NO ? 3 : 0) +
- (protect_system != PROTECT_SYSTEM_NO ? 2 : 0) +
+ (protect_system != PROTECT_SYSTEM_NO ? 6 : 0) +
(protect_system == PROTECT_SYSTEM_FULL ? 1 : 0);
if (n > 0) {
@@ -414,7 +414,7 @@ int setup_namespace(
}
if (protect_system != PROTECT_SYSTEM_NO) {
- r = append_mounts(&m, protect_system == PROTECT_SYSTEM_FULL ? STRV_MAKE("/usr", "-/boot", "/etc") : STRV_MAKE("/usr", "-/boot"), READONLY);
+ r = append_mounts(&m, protect_system == PROTECT_SYSTEM_FULL ? STRV_MAKE("/usr", "/bin", "/sbin", "/lib", "-/lib64", "-/boot", "/etc") : STRV_MAKE("/usr", "/bin", "/sbin", "/lib", "-/lib64", "-/boot"), READONLY);
if (r < 0)
return r;
}
From: Ansgar Burchardt <ansgar@debian.org>
Date: Sun, 27 Jul 2014 15:19:00 +0200
Subject: parse_boolean: require exact matches
Require exact matches in all cases instead of treating strings
starting with 't' ('f') as true (false).
This is required for config_parse_protect_system to parse ProtectSystem=full
correctly: it uses parse_boolean and only tries a more specific parsing
function if that did not return a valid result. Thus "full" was treated as
"false" before.
(cherry picked commit from 0f625d0b87139fc18cd565c9b6da05c53a0eb7ab)
---
src/shared/util.c | 4 ++--
src/test/test-util.c | 1 +
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/shared/util.c b/src/shared/util.c
index 103bf2a..f7f9b74 100644
--- a/src/shared/util.c
+++ b/src/shared/util.c
@@ -231,9 +231,9 @@ int unlink_noerrno(const char *path) {
int parse_boolean(const char *v) {
assert(v);
- if (streq(v, "1") || v[0] == 'y' || v[0] == 'Y' || v[0] == 't' || v[0] == 'T' || strcaseeq(v, "on"))
+ if (streq(v, "1") || strcaseeq(v, "yes") || strcaseeq(v, "y") || strcaseeq(v, "true") || strcaseeq(v, "t") || strcaseeq(v, "on"))
return 1;
- else if (streq(v, "0") || v[0] == 'n' || v[0] == 'N' || v[0] == 'f' || v[0] == 'F' || strcaseeq(v, "off"))
+ else if (streq(v, "0") || strcaseeq(v, "no") || strcaseeq(v, "n") || strcaseeq(v, "false") || strcaseeq(v, "f") || strcaseeq(v, "off"))
return 0;
return -EINVAL;
diff --git a/src/test/test-util.c b/src/test/test-util.c
index ed91a67..9a28ef9 100644
--- a/src/test/test-util.c
+++ b/src/test/test-util.c
@@ -129,6 +129,7 @@ static void test_parse_boolean(void) {
assert_se(parse_boolean("garbage") < 0);
assert_se(parse_boolean("") < 0);
+ assert_se(parse_boolean("full") < 0);
}
static void test_parse_pid(void) {
......@@ -90,6 +90,7 @@ util-avoid-considering-dpkg-temporary-files-relevant.patch
libudev-fix-symbol-version-for-udev_queue_flush-and-.patch
build-don-t-install-busname-units-and-target-if-kdbu.patch
man-fix-references-to-systemctl-man-page-which-is-no.patch
parse_boolean-require-exact-matches.patch
## Debian specific patches:
Add-back-support-for-Debian-specific-config-files.patch
......@@ -134,3 +135,4 @@ Map-rcS.d-init-script-dependencies-to-their-systemd-.patch
Make-emergency.service-conflict-with-rescue.service.patch
Stop-syslog.socket-when-entering-emergency-mode.patch
Make-run-lock-tmpfs-an-API-fs.patch
Include-additional-directories-in-ProtectSystem.patch
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment