diff options
| author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2021-06-25 14:21:05 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-06-25 14:21:05 +0200 |
| commit | a768492a33716c2a3650725c1a1123ee32a612e8 (patch) | |
| tree | 4e764c852e0a572814b14d37fc186661dede028c /src/core | |
| parent | remove a left-over break (diff) | |
| parent | core: do not set nosuid mount option when SELinux is enabled (diff) | |
| download | systemd-a768492a33716c2a3650725c1a1123ee32a612e8.tar.xz systemd-a768492a33716c2a3650725c1a1123ee32a612e8.zip | |
Merge pull request #20023 from yuwata/re-enable-nosuid-mount-flag
core: reenable nosuid mount flag when NoNewPrivileges=yes
Diffstat (limited to 'src/core')
| -rw-r--r-- | src/core/execute.c | 2 | ||||
| -rw-r--r-- | src/core/namespace.c | 32 | ||||
| -rw-r--r-- | src/core/namespace.h | 1 |
3 files changed, 35 insertions, 0 deletions
diff --git a/src/core/execute.c b/src/core/execute.c index 42d76a346d..a83b1b5694 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -3190,6 +3190,8 @@ static int apply_mount_namespace( .protect_proc = context->protect_proc, .proc_subset = context->proc_subset, .private_ipc = context->private_ipc || context->ipc_namespace_path, + /* If NNP is on, we can turn on MS_NOSUID, since it won't have any effect anymore. */ + .mount_nosuid = context->no_new_privileges && !mac_selinux_use(), }; } else if (!context->dynamic_user && root_dir) /* diff --git a/src/core/namespace.c b/src/core/namespace.c index f270529fd1..160ed9bc0e 100644 --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -1473,6 +1473,27 @@ static int make_noexec(const MountEntry *m, char **deny_list, FILE *proc_self_mo return 0; } +static int make_nosuid(const MountEntry *m, FILE *proc_self_mountinfo) { + bool submounts = false; + int r = 0; + + assert(m); + assert(proc_self_mountinfo); + + submounts = !IN_SET(m->mode, EMPTY_DIR, TMPFS); + + if (submounts) + r = bind_remount_recursive_with_mountinfo(mount_entry_path(m), MS_NOSUID, MS_NOSUID, NULL, proc_self_mountinfo); + else + r = bind_remount_one_with_mountinfo(mount_entry_path(m), MS_NOSUID, MS_NOSUID, proc_self_mountinfo); + if (r == -ENOENT && m->ignore) + return 0; + if (r < 0) + return log_debug_errno(r, "Failed to re-mount '%s'%s: %m", mount_entry_path(m), + submounts ? " and its submounts" : ""); + return 0; +} + static bool namespace_info_mount_apivfs(const NamespaceInfo *ns_info) { assert(ns_info); @@ -1669,6 +1690,17 @@ static int apply_mounts( } } + /* Fourth round, flip the nosuid bits without a deny list. */ + if (ns_info->mount_nosuid) + for (MountEntry *m = mounts; m < mounts + *n_mounts; ++m) { + r = make_nosuid(m, proc_self_mountinfo); + if (r < 0) { + if (error_path && mount_entry_path(m)) + *error_path = strdup(mount_entry_path(m)); + return r; + } + } + return 1; } diff --git a/src/core/namespace.h b/src/core/namespace.h index 737d6eae8b..c9373a4adb 100644 --- a/src/core/namespace.h +++ b/src/core/namespace.h @@ -74,6 +74,7 @@ struct NamespaceInfo { bool mount_apivfs; bool protect_hostname; bool private_ipc; + bool mount_nosuid; ProtectHome protect_home; ProtectSystem protect_system; ProtectProc protect_proc; |