Commit cf3b3bc7 authored by Michael Biebl's avatar Michael Biebl
Browse files

Fix ProtectSystem= to properly work with split /usr

Cherry-pick upstream commit to fix ProtectSystem=full and make the
ProtectSystem= option consider /bin, /sbin, /lib and /lib64 (if it
exists) on Debian systems.

Closes: #759689
parent f5d78072
...@@ -30,6 +30,9 @@ systemd (215-1) UNRELEASED; urgency=medium ...@@ -30,6 +30,9 @@ systemd (215-1) UNRELEASED; urgency=medium
* Disable factory-reset feature and remove files associated with it. This * Disable factory-reset feature and remove files associated with it. This
feature needs more integration work first before it can be enabled in feature needs more integration work first before it can be enabled in
Debian. Debian.
* Cherry-pick upstream commit to fix ProtectSystem=full and make the
ProtectSystem= option consider /bin, /sbin, /lib and /lib64 (if it exists)
on Debian systems. (Closes: #759689)
-- Michael Biebl <biebl@debian.org> Tue, 26 Aug 2014 12:09:10 +0200 -- Michael Biebl <biebl@debian.org> Tue, 26 Aug 2014 12:09:10 +0200
......
From: Ansgar Burchardt <ansgar@debian.org>
Date: Thu, 24 Jul 2014 19:38:07 +0200
Subject: Include additional directories in ProtectSystem
---
src/core/namespace.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/core/namespace.c b/src/core/namespace.c
index 5466b7b..88f6448 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -372,7 +372,7 @@ int setup_namespace(
strv_length(inaccessible_dirs) +
private_dev +
(protect_home != PROTECT_HOME_NO ? 3 : 0) +
- (protect_system != PROTECT_SYSTEM_NO ? 2 : 0) +
+ (protect_system != PROTECT_SYSTEM_NO ? 6 : 0) +
(protect_system == PROTECT_SYSTEM_FULL ? 1 : 0);
if (n > 0) {
@@ -414,7 +414,7 @@ int setup_namespace(
}
if (protect_system != PROTECT_SYSTEM_NO) {
- r = append_mounts(&m, protect_system == PROTECT_SYSTEM_FULL ? STRV_MAKE("/usr", "-/boot", "/etc") : STRV_MAKE("/usr", "-/boot"), READONLY);
+ r = append_mounts(&m, protect_system == PROTECT_SYSTEM_FULL ? STRV_MAKE("/usr", "/bin", "/sbin", "/lib", "-/lib64", "-/boot", "/etc") : STRV_MAKE("/usr", "/bin", "/sbin", "/lib", "-/lib64", "-/boot"), READONLY);
if (r < 0)
return r;
}
From: Ansgar Burchardt <ansgar@debian.org>
Date: Sun, 27 Jul 2014 15:19:00 +0200
Subject: parse_boolean: require exact matches
Require exact matches in all cases instead of treating strings
starting with 't' ('f') as true (false).
This is required for config_parse_protect_system to parse ProtectSystem=full
correctly: it uses parse_boolean and only tries a more specific parsing
function if that did not return a valid result. Thus "full" was treated as
"false" before.
(cherry picked commit from 0f625d0b87139fc18cd565c9b6da05c53a0eb7ab)
---
src/shared/util.c | 4 ++--
src/test/test-util.c | 1 +
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/shared/util.c b/src/shared/util.c
index 103bf2a..f7f9b74 100644
--- a/src/shared/util.c
+++ b/src/shared/util.c
@@ -231,9 +231,9 @@ int unlink_noerrno(const char *path) {
int parse_boolean(const char *v) {
assert(v);
- if (streq(v, "1") || v[0] == 'y' || v[0] == 'Y' || v[0] == 't' || v[0] == 'T' || strcaseeq(v, "on"))
+ if (streq(v, "1") || strcaseeq(v, "yes") || strcaseeq(v, "y") || strcaseeq(v, "true") || strcaseeq(v, "t") || strcaseeq(v, "on"))
return 1;
- else if (streq(v, "0") || v[0] == 'n' || v[0] == 'N' || v[0] == 'f' || v[0] == 'F' || strcaseeq(v, "off"))
+ else if (streq(v, "0") || strcaseeq(v, "no") || strcaseeq(v, "n") || strcaseeq(v, "false") || strcaseeq(v, "f") || strcaseeq(v, "off"))
return 0;
return -EINVAL;
diff --git a/src/test/test-util.c b/src/test/test-util.c
index ed91a67..9a28ef9 100644
--- a/src/test/test-util.c
+++ b/src/test/test-util.c
@@ -129,6 +129,7 @@ static void test_parse_boolean(void) {
assert_se(parse_boolean("garbage") < 0);
assert_se(parse_boolean("") < 0);
+ assert_se(parse_boolean("full") < 0);
}
static void test_parse_pid(void) {
...@@ -90,6 +90,7 @@ util-avoid-considering-dpkg-temporary-files-relevant.patch ...@@ -90,6 +90,7 @@ util-avoid-considering-dpkg-temporary-files-relevant.patch
libudev-fix-symbol-version-for-udev_queue_flush-and-.patch libudev-fix-symbol-version-for-udev_queue_flush-and-.patch
build-don-t-install-busname-units-and-target-if-kdbu.patch build-don-t-install-busname-units-and-target-if-kdbu.patch
man-fix-references-to-systemctl-man-page-which-is-no.patch man-fix-references-to-systemctl-man-page-which-is-no.patch
parse_boolean-require-exact-matches.patch
## Debian specific patches: ## Debian specific patches:
Add-back-support-for-Debian-specific-config-files.patch Add-back-support-for-Debian-specific-config-files.patch
...@@ -134,3 +135,4 @@ Map-rcS.d-init-script-dependencies-to-their-systemd-.patch ...@@ -134,3 +135,4 @@ Map-rcS.d-init-script-dependencies-to-their-systemd-.patch
Make-emergency.service-conflict-with-rescue.service.patch Make-emergency.service-conflict-with-rescue.service.patch
Stop-syslog.socket-when-entering-emergency-mode.patch Stop-syslog.socket-when-entering-emergency-mode.patch
Make-run-lock-tmpfs-an-API-fs.patch Make-run-lock-tmpfs-an-API-fs.patch
Include-additional-directories-in-ProtectSystem.patch
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment