Control: tags -1 - moreinfo
Please find the new debdiff attached.
diff -Nru xfsprogs-6.13.0/debian/changelog xfsprogs-6.13.0/debian/changelog --- xfsprogs-6.13.0/debian/changelog 2025-02-23 15:32:04.000000000 +0100 +++ xfsprogs-6.13.0/debian/changelog 2026-03-04 12:28:29.000000000 +0100 @@ -1,3 +1,10 @@ +xfsprogs (6.13.0-2+deb13u1) trixie; urgency=medium + + * xfs_scrub_fail: reduce security lockdowns to avoid postfix problems + (Closes: #1116595) + + -- Bastian Germann <[email protected]> Wed, 04 Mar 2026 12:28:29 +0100 + xfsprogs (6.13.0-2) unstable; urgency=medium * Patch: mkfs: Correct filesize declaration diff -Nru xfsprogs-6.13.0/debian/patches/reduce-security-lockdowns-to-avoid-postfix-problems.patch xfsprogs-6.13.0/debian/patches/reduce-security-lockdowns-to-avoid-postfix-problems.patch --- xfsprogs-6.13.0/debian/patches/reduce-security-lockdowns-to-avoid-postfix-problems.patch 1970-01-01 01:00:00.000000000 +0100 +++ xfsprogs-6.13.0/debian/patches/reduce-security-lockdowns-to-avoid-postfix-problems.patch 2026-03-01 17:22:10.000000000 +0100 @@ -0,0 +1,133 @@ +From: Bastian Germann <[email protected]> +Date: Mar, 01 2026 16:19:13 +0100 +Bug-Debian: https://bugs.debian.org/1116595 +Subject: reduce security lockdowns to avoid postfix problems + +Apply upstream 50411335572120153cc84d54213cd5ca9dd11b14 to the other +systemd services that people might have problems with. +--- +--- xfsprogs-6.18.0.orig/scrub/xfs_scrub_all.service.in ++++ xfsprogs-6.18.0/scrub/xfs_scrub_all.service.in +@@ -25,61 +25,3 @@ IOSchedulingClass=idle + CPUSchedulingPolicy=idle + CPUAccounting=true + Nice=19 +- +-# No realtime scheduling +-RestrictRealtime=true +- +-# No special privileges, but we still have to run as root so that we can +-# contact the service manager to start the sub-units. +-CapabilityBoundingSet= +-NoNewPrivileges=true +-RestrictSUIDSGID=true +- +-# Make the entire filesystem readonly except for the media scan stamp file +-# directory. We don't want to hide anything because we need to find all +-# mounted XFS filesystems in the host. +-ProtectSystem=strict +-ProtectHome=read-only +-PrivateTmp=false +-BindPaths=@pkg_state_dir@ +- +-# No network access except to the systemd control socket +-PrivateNetwork=true +-ProtectHostname=true +-RestrictAddressFamilies=AF_UNIX +-IPAddressDeny=any +- +-# Don't let the program mess with the kernel configuration at all +-ProtectKernelLogs=true +-ProtectKernelModules=true +-ProtectKernelTunables=true +-ProtectControlGroups=true +-ProtectProc=invisible +-RestrictNamespaces=true +- +-# Hide everything in /proc, even /proc/mounts +-ProcSubset=pid +- +-# Only allow the default personality Linux +-LockPersonality=true +- +-# No writable memory pages +-MemoryDenyWriteExecute=true +- +-# Don't let our mounts leak out to the host +-PrivateMounts=true +- +-# Restrict system calls to the native arch and only enough to get things going +-SystemCallArchitectures=native +-SystemCallFilter=@system-service +-SystemCallFilter=~@privileged +-SystemCallFilter=~@resources +-SystemCallFilter=~@mount +- +-# Media scan stamp file shouldn't be readable by regular users +-UMask=0077 +- +-# lsblk ignores mountpoints if it can't find the device files, so we cannot +-# hide them +-#ProtectClock=true +-#PrivateDevices=true +--- xfsprogs-6.18.0.orig/scrub/xfs_scrub_all_fail.service.in ++++ xfsprogs-6.18.0/scrub/xfs_scrub_all_fail.service.in +@@ -14,58 +14,3 @@ ExecStart=@pkg_libexec_dir@/xfs_scrub_fa + User=mail + Group=mail + SupplementaryGroups=systemd-journal +- +-# No realtime scheduling +-RestrictRealtime=true +- +-# Make the entire filesystem readonly and /home inaccessible. +-ProtectSystem=full +-ProtectHome=yes +-PrivateTmp=true +-RestrictSUIDSGID=true +- +-# Emailing reports requires network access, but not the ability to change the +-# hostname. +-ProtectHostname=true +- +-# Don't let the program mess with the kernel configuration at all +-ProtectKernelLogs=true +-ProtectKernelModules=true +-ProtectKernelTunables=true +-ProtectControlGroups=true +-ProtectProc=invisible +-RestrictNamespaces=true +- +-# Can't hide /proc because journalctl needs it to find various pieces of log +-# information +-#ProcSubset=pid +- +-# Only allow the default personality Linux +-LockPersonality=true +- +-# No writable memory pages +-MemoryDenyWriteExecute=true +- +-# Don't let our mounts leak out to the host +-PrivateMounts=true +- +-# Restrict system calls to the native arch and only enough to get things going +-SystemCallArchitectures=native +-SystemCallFilter=@system-service +-SystemCallFilter=~@privileged +-SystemCallFilter=~@resources +-SystemCallFilter=~@mount +- +-# xfs_scrub needs these privileges to run, and no others +-CapabilityBoundingSet= +-NoNewPrivileges=true +- +-# Failure reporting shouldn't create world-readable files +-UMask=0077 +- +-# Clean up any IPC objects when this unit stops +-RemoveIPC=true +- +-# No access to hardware device files +-PrivateDevices=true +-ProtectClock=true diff -Nru xfsprogs-6.13.0/debian/patches/series xfsprogs-6.13.0/debian/patches/series --- xfsprogs-6.13.0/debian/patches/series 2025-02-23 15:20:24.000000000 +0100 +++ xfsprogs-6.13.0/debian/patches/series 2026-03-04 12:27:53.000000000 +0100 @@ -1 +1,3 @@ mkfs-Correct-filesize-declaration.patch +xfs_scrub_fail-reduce-security-lockdowns.patch +reduce-security-lockdowns-to-avoid-postfix-problems.patch diff -Nru xfsprogs-6.13.0/debian/patches/xfs_scrub_fail-reduce-security-lockdowns.patch xfsprogs-6.13.0/debian/patches/xfs_scrub_fail-reduce-security-lockdowns.patch --- xfsprogs-6.13.0/debian/patches/xfs_scrub_fail-reduce-security-lockdowns.patch 1970-01-01 01:00:00.000000000 +0100 +++ xfsprogs-6.13.0/debian/patches/xfs_scrub_fail-reduce-security-lockdowns.patch 2026-03-04 12:26:44.000000000 +0100 @@ -0,0 +1,101 @@ +From 15fd6fc686d5ce7640e46d44f6fa018413ce1b64 Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" <[email protected]> +Date: Mon, 13 Oct 2025 16:34:24 -0700 +Subject: [PATCH] xfs_scrub_fail: reduce security lockdowns to avoid postfix + problems + +Iustin Pop reports that the xfs_scrub_fail service fails to email +problem reports on Debian when postfix is installed. This is apparently +due to several factors: + +1. postfix's sendmail wrapper calling postdrop directly, +2. postdrop requiring the ability to write to the postdrop group, +3. lockdown preventing the xfs_scrub_fail@ service to have postdrop in + the supplemental group list or the ability to run setgid programs + +Item (3) could be solved by adding the whole service to the postdrop +group via SupplementalGroups=, but that will fail if postfix is not +installed and hence there is no postdrop group. + +It could also be solved by forcing msmtp to be installed, bind mounting +msmtp into the service container, and injecting a config file that +instructs msmtp to connect to port 25, but that in turn isn't compatible +with systems not configured to allow an smtp server to listen on ::1. + +So we'll go with the less restrictive approach that e2scrub_fail@ does, +which is to say that we just turn off all the sandboxing. :( :( + +Reported-by: [email protected] +Cc: [email protected] # v6.10.0 +Fixes: 9042fcc08eed6a ("xfs_scrub_fail: tighten up the security on the background systemd service") +Signed-off-by: Darrick J. Wong <[email protected]> +Reviewed-by: Andrey Albershteyn <[email protected]> +--- + scrub/[email protected] | 57 ++------------------------------ + 1 file changed, 3 insertions(+), 54 deletions(-) + +diff --git a/scrub/[email protected] b/scrub/[email protected] +index 16077888..1e205768 100644 +--- a/scrub/[email protected] ++++ b/scrub/[email protected] +@@ -19,57 +19,6 @@ SupplementaryGroups=systemd-journal + # can control resource usage. + Slice=system-xfs_scrub.slice + +-# No realtime scheduling +-RestrictRealtime=true +- +-# Make the entire filesystem readonly and /home inaccessible. +-ProtectSystem=full +-ProtectHome=yes +-PrivateTmp=true +-RestrictSUIDSGID=true +- +-# Emailing reports requires network access, but not the ability to change the +-# hostname. +-ProtectHostname=true +- +-# Don't let the program mess with the kernel configuration at all +-ProtectKernelLogs=true +-ProtectKernelModules=true +-ProtectKernelTunables=true +-ProtectControlGroups=true +-ProtectProc=invisible +-RestrictNamespaces=true +- +-# Can't hide /proc because journalctl needs it to find various pieces of log +-# information +-#ProcSubset=pid +- +-# Only allow the default personality Linux +-LockPersonality=true +- +-# No writable memory pages +-MemoryDenyWriteExecute=true +- +-# Don't let our mounts leak out to the host +-PrivateMounts=true +- +-# Restrict system calls to the native arch and only enough to get things going +-SystemCallArchitectures=native +-SystemCallFilter=@system-service +-SystemCallFilter=~@privileged +-SystemCallFilter=~@resources +-SystemCallFilter=~@mount +- +-# xfs_scrub needs these privileges to run, and no others +-CapabilityBoundingSet= +-NoNewPrivileges=true +- +-# Failure reporting shouldn't create world-readable files +-UMask=0077 +- +-# Clean up any IPC objects when this unit stops +-RemoveIPC=true +- +-# No access to hardware device files +-PrivateDevices=true +-ProtectClock=true ++# No further restrictions because some installations may have MTAs such as ++# postfix, which require the ability to run setgid programs and other ++# foolishness.
