On 10/16/19 2:16 PM, Muminul Islam wrote: > CVE: CVE-2019-3842 CVE-2019-3843 CVE-2019-3844 > > Upstream-Status: Backport Warrior needs these fixes before thud mainline can be fixed.
- armin > > Signed-off-by: Muminul Islam <[email protected]> > --- > .../systemd/systemd/CVE-2019-3842.patch | 59 +++++ > .../systemd/systemd/CVE-2019-3843_p1.patch | 227 ++++++++++++++++++ > .../systemd/systemd/CVE-2019-3843_p2.patch | 174 ++++++++++++++ > .../systemd/systemd/CVE-2019-3843_p3.patch | 90 +++++++ > .../systemd/systemd/CVE-2019-3843_p4.patch | 163 +++++++++++++ > .../systemd/systemd/CVE-2019-3844.patch | 96 ++++++++ > meta/recipes-core/systemd/systemd_239.bb | 6 + > 7 files changed, 815 insertions(+) > create mode 100644 meta/recipes-core/systemd/systemd/CVE-2019-3842.patch > create mode 100644 meta/recipes-core/systemd/systemd/CVE-2019-3843_p1.patch > create mode 100644 meta/recipes-core/systemd/systemd/CVE-2019-3843_p2.patch > create mode 100644 meta/recipes-core/systemd/systemd/CVE-2019-3843_p3.patch > create mode 100644 meta/recipes-core/systemd/systemd/CVE-2019-3843_p4.patch > create mode 100644 meta/recipes-core/systemd/systemd/CVE-2019-3844.patch > > diff --git a/meta/recipes-core/systemd/systemd/CVE-2019-3842.patch > b/meta/recipes-core/systemd/systemd/CVE-2019-3842.patch > new file mode 100644 > index 0000000000..c58914b5b3 > --- /dev/null > +++ b/meta/recipes-core/systemd/systemd/CVE-2019-3842.patch > @@ -0,0 +1,59 @@ > +From 7ee4ae8c15bd9cc3d60000f9a4b684ea608cabc6 Mon Sep 17 00:00:00 2001 > +From: Lennart Poettering <[email protected]> > +Date: Mon, 4 Feb 2019 10:23:43 +0100 > +Subject: [PATCH] pam-systemd: use secure_getenv() rather than getenv() > +Reply-To: [email protected] > + > +And explain why in a comment. > + > +Signed-off-by: Muminul Islam <[email protected]> > + > +CVE: CVE-2019-3842 > + > +Upstream-Status: Backport > + > +Upstream commit: > https://github.com/systemd/systemd/commit/83d4ab55336ff8a0643c6aa627b31e351a24040a > +--- > + src/login/pam_systemd.c | 10 +++++----- > + 1 file changed, 5 insertions(+), 5 deletions(-) > + > +diff --git a/src/login/pam_systemd.c b/src/login/pam_systemd.c > +index 1fbf6ba585..3ecb34425d 100644 > +--- a/src/login/pam_systemd.c > ++++ b/src/login/pam_systemd.c > +@@ -354,27 +354,27 @@ _public_ PAM_EXTERN int pam_sm_open_session( > + > + seat = pam_getenv(handle, "XDG_SEAT"); > + if (isempty(seat)) > +- seat = getenv("XDG_SEAT"); > ++ seat = secure_getenv("XDG_SEAT"); > + > + cvtnr = pam_getenv(handle, "XDG_VTNR"); > + if (isempty(cvtnr)) > +- cvtnr = getenv("XDG_VTNR"); > ++ cvtnr = secure_getenv("XDG_VTNR"); > + > + type = pam_getenv(handle, "XDG_SESSION_TYPE"); > + if (isempty(type)) > +- type = getenv("XDG_SESSION_TYPE"); > ++ type = secure_getenv("XDG_SESSION_TYPE"); > + if (isempty(type)) > + type = type_pam; > + > + class = pam_getenv(handle, "XDG_SESSION_CLASS"); > + if (isempty(class)) > +- class = getenv("XDG_SESSION_CLASS"); > ++ class = secure_getenv("XDG_SESSION_CLASS"); > + if (isempty(class)) > + class = class_pam; > + > + desktop = pam_getenv(handle, "XDG_SESSION_DESKTOP"); > + if (isempty(desktop)) > +- desktop = getenv("XDG_SESSION_DESKTOP"); > ++ desktop = secure_getenv("XDG_SESSION_DESKTOP"); > + > + tty = strempty(tty); > + > +-- > +2.23.0 > + > diff --git a/meta/recipes-core/systemd/systemd/CVE-2019-3843_p1.patch > b/meta/recipes-core/systemd/systemd/CVE-2019-3843_p1.patch > new file mode 100644 > index 0000000000..a0646dd54e > --- /dev/null > +++ b/meta/recipes-core/systemd/systemd/CVE-2019-3843_p1.patch > @@ -0,0 +1,227 @@ > +From 63788571a48adec4a0fed9d1d8993f867d1c1a1d Mon Sep 17 00:00:00 2001 > +From: Lennart Poettering <[email protected]> > +Date: Wed, 20 Mar 2019 19:00:28 +0100 > +Subject: [PATCH] seccomp: introduce seccomp_restrict_suid_sgid() for blocking > + chmod() for suid/sgid files > +Reply-To: [email protected] > + > +Signed-off-by: Muminul Islam <[email protected]> > + > +CVE: CVE-2019-3843 > +Upstream-Status: Backport > + > +Upstream commit: > https://github.com/systemd/systemd/commit/3c27973b13724ede05a06a5d346a569794cda433 > +--- > + src/shared/seccomp-util.c | 173 ++++++++++++++++++++++++++++++++++++++ > + src/shared/seccomp-util.h | 1 + > + 2 files changed, 174 insertions(+) > + > +diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c > +index c433cb90dc..e9632d703e 100644 > +--- a/src/shared/seccomp-util.c > ++++ b/src/shared/seccomp-util.c > +@@ -1,12 +1,14 @@ > + /* SPDX-License-Identifier: LGPL-2.1+ */ > + > + #include <errno.h> > ++#include <fcntl.h> > + #include <linux/seccomp.h> > + #include <seccomp.h> > + #include <stddef.h> > + #include <sys/mman.h> > + #include <sys/prctl.h> > + #include <sys/shm.h> > ++#include <sys/stat.h> > + > + #include "af-list.h" > + #include "alloc-util.h" > +@@ -1742,3 +1744,174 @@ int seccomp_lock_personality(unsigned long > personality) { > + > + return 0; > + } > ++ > ++int seccomp_protect_hostname(void) { > ++ uint32_t arch; > ++ int r; > ++ > ++ SECCOMP_FOREACH_LOCAL_ARCH(arch) { > ++ _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL; > ++ > ++ r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW); > ++ if (r < 0) > ++ return r; > ++ > ++ r = seccomp_rule_add_exact( > ++ seccomp, > ++ SCMP_ACT_ERRNO(EPERM), > ++ SCMP_SYS(sethostname), > ++ 0); > ++ if (r < 0) { > ++ log_debug_errno(r, "Failed to add sethostname() > rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); > ++ continue; > ++ } > ++ > ++ r = seccomp_rule_add_exact( > ++ seccomp, > ++ SCMP_ACT_ERRNO(EPERM), > ++ SCMP_SYS(setdomainname), > ++ 0); > ++ if (r < 0) { > ++ log_debug_errno(r, "Failed to add setdomainname() > rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); > ++ continue; > ++ } > ++ > ++ r = seccomp_load(seccomp); > ++ if (IN_SET(r, -EPERM, -EACCES)) > ++ return r; > ++ if (r < 0) > ++ log_debug_errno(r, "Failed to apply hostname > restrictions for architecture %s, skipping: %m", > seccomp_arch_to_string(arch)); > ++ } > ++ > ++ return 0; > ++} > ++ > ++int seccomp_restrict_suid_sgid(void) { > ++ uint32_t arch; > ++ int r; > ++ > ++ SECCOMP_FOREACH_LOCAL_ARCH(arch) { > ++ _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL; > ++ > ++ r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW); > ++ if (r < 0) > ++ return r; > ++ > ++ /* Checks the mode_t parameter of the following system > calls: > ++ * > ++ * → chmod() + fchmod() + fchmodat() > ++ * → open() + creat() + openat() > ++ * → mkdir() + mkdirat() > ++ * → mknod() + mknodat() > ++ */ > ++ > ++ for (unsigned bit = 0; bit < 2; bit ++) { > ++ /* Block S_ISUID in the first iteration, S_ISGID in > the second */ > ++ mode_t m = bit == 0 ? S_ISUID : S_ISGID; > ++ > ++ r = seccomp_rule_add_exact( > ++ seccomp, > ++ SCMP_ACT_ERRNO(EPERM), > ++ SCMP_SYS(chmod), > ++ 1, > ++ SCMP_A1(SCMP_CMP_MASKED_EQ, m, m)); > ++ if (r < 0) > ++ break; > ++ > ++ r = seccomp_rule_add_exact( > ++ seccomp, > ++ SCMP_ACT_ERRNO(EPERM), > ++ SCMP_SYS(fchmod), > ++ 1, > ++ SCMP_A1(SCMP_CMP_MASKED_EQ, m, m)); > ++ if (r < 0) > ++ break; > ++ > ++ r = seccomp_rule_add_exact( > ++ seccomp, > ++ SCMP_ACT_ERRNO(EPERM), > ++ SCMP_SYS(fchmodat), > ++ 1, > ++ SCMP_A2(SCMP_CMP_MASKED_EQ, m, m)); > ++ if (r < 0) > ++ break; > ++ > ++ r = seccomp_rule_add_exact( > ++ seccomp, > ++ SCMP_ACT_ERRNO(EPERM), > ++ SCMP_SYS(mkdir), > ++ 1, > ++ SCMP_A1(SCMP_CMP_MASKED_EQ, m, m)); > ++ if (r < 0) > ++ break; > ++ > ++ r = seccomp_rule_add_exact( > ++ seccomp, > ++ SCMP_ACT_ERRNO(EPERM), > ++ SCMP_SYS(mkdirat), > ++ 1, > ++ SCMP_A2(SCMP_CMP_MASKED_EQ, m, m)); > ++ if (r < 0) > ++ break; > ++ > ++ r = seccomp_rule_add_exact( > ++ seccomp, > ++ SCMP_ACT_ERRNO(EPERM), > ++ SCMP_SYS(mknod), > ++ 1, > ++ SCMP_A1(SCMP_CMP_MASKED_EQ, m, m)); > ++ if (r < 0) > ++ break; > ++ > ++ r = seccomp_rule_add_exact( > ++ seccomp, > ++ SCMP_ACT_ERRNO(EPERM), > ++ SCMP_SYS(mknodat), > ++ 1, > ++ SCMP_A2(SCMP_CMP_MASKED_EQ, m, m)); > ++ if (r < 0) > ++ break; > ++ > ++ r = seccomp_rule_add_exact( > ++ seccomp, > ++ SCMP_ACT_ERRNO(EPERM), > ++ SCMP_SYS(open), > ++ 2, > ++ SCMP_A1(SCMP_CMP_MASKED_EQ, > O_CREAT, O_CREAT), > ++ SCMP_A2(SCMP_CMP_MASKED_EQ, m, m)); > ++ if (r < 0) > ++ break; > ++ > ++ r = seccomp_rule_add_exact( > ++ seccomp, > ++ SCMP_ACT_ERRNO(EPERM), > ++ SCMP_SYS(openat), > ++ 2, > ++ SCMP_A2(SCMP_CMP_MASKED_EQ, > O_CREAT, O_CREAT), > ++ SCMP_A3(SCMP_CMP_MASKED_EQ, m, m)); > ++ if (r < 0) > ++ break; > ++ > ++ r = seccomp_rule_add_exact( > ++ seccomp, > ++ SCMP_ACT_ERRNO(EPERM), > ++ SCMP_SYS(creat), > ++ 1, > ++ SCMP_A1(SCMP_CMP_MASKED_EQ, m, m)); > ++ if (r < 0) > ++ break; > ++ } > ++ if (r < 0) { > ++ log_debug_errno(r, "Failed to add suid/sgid rule > for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); > ++ continue; > ++ } > ++ > ++ r = seccomp_load(seccomp); > ++ if (IN_SET(r, -EPERM, -EACCES)) > ++ return r; > ++ if (r < 0) > ++ log_debug_errno(r, "Failed to apply suid/sgid > restrictions for architecture %s, skipping: %m", > seccomp_arch_to_string(arch)); > ++ } > ++ > ++ return 0; > ++} > +diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h > +index eac857afb9..a274333450 100644 > +--- a/src/shared/seccomp-util.h > ++++ b/src/shared/seccomp-util.h > +@@ -85,6 +85,7 @@ int seccomp_restrict_address_families(Set > *address_families, bool whitelist); > + int seccomp_restrict_realtime(void); > + int seccomp_memory_deny_write_execute(void); > + int seccomp_lock_personality(unsigned long personality); > ++int seccomp_restrict_suid_sgid(void); > + > + extern const uint32_t seccomp_local_archs[]; > + > +-- > +2.23.0 > + > diff --git a/meta/recipes-core/systemd/systemd/CVE-2019-3843_p2.patch > b/meta/recipes-core/systemd/systemd/CVE-2019-3843_p2.patch > new file mode 100644 > index 0000000000..bf9e4cd641 > --- /dev/null > +++ b/meta/recipes-core/systemd/systemd/CVE-2019-3843_p2.patch > @@ -0,0 +1,174 @@ > +From 8c2b92f997255296186d3986cde04de57c652b73 Mon Sep 17 00:00:00 2001 > +From: Lennart Poettering <[email protected]> > +Date: Wed, 20 Mar 2019 19:09:09 +0100 > +Subject: [PATCH] core: expose SUID/SGID restriction as new unit setting > + RestrictSUIDSGID= > +Reply-To: [email protected] > + > +Signed-off-by: Muminul Islam <[email protected]> > + > +CVE: CVE-2019-3843 > +Upstream-Status: Backport > +Upstream Commit: > https://github.com/systemd/systemd/commit/f69567cbe26d09eac9d387c0be0fc32c65a83ada > +--- > + src/core/dbus-execute.c | 4 ++++ > + src/core/execute.c | 22 +++++++++++++++++++ > + src/core/execute.h | 1 + > + src/core/load-fragment-gperf.gperf.m4 | 2 ++ > + src/shared/bus-unit-util.c | 12 +++++----- > + test/fuzz-corpus/unit-file/directives.service | 1 + > + 6 files changed, 36 insertions(+), 6 deletions(-) > + > +diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c > +index c44970c10c..41dfb36377 100644 > +--- a/src/core/dbus-execute.c > ++++ b/src/core/dbus-execute.c > +@@ -769,6 +769,7 @@ const sd_bus_vtable bus_exec_vtable[] = { > + SD_BUS_PROPERTY("ConfigurationDirectory", "as", NULL, > offsetof(ExecContext, directories[EXEC_DIRECTORY_CONFIGURATION].paths), > SD_BUS_VTABLE_PROPERTY_CONST), > + SD_BUS_PROPERTY("MemoryDenyWriteExecute", "b", > bus_property_get_bool, offsetof(ExecContext, memory_deny_write_execute), > SD_BUS_VTABLE_PROPERTY_CONST), > + SD_BUS_PROPERTY("RestrictRealtime", "b", bus_property_get_bool, > offsetof(ExecContext, restrict_realtime), SD_BUS_VTABLE_PROPERTY_CONST), > ++ SD_BUS_PROPERTY("RestrictSUIDSGID", "b", bus_property_get_bool, > offsetof(ExecContext, restrict_suid_sgid), SD_BUS_VTABLE_PROPERTY_CONST), > + SD_BUS_PROPERTY("RestrictNamespaces", "t", bus_property_get_ulong, > offsetof(ExecContext, restrict_namespaces), SD_BUS_VTABLE_PROPERTY_CONST), > + SD_BUS_PROPERTY("BindPaths", "a(ssbt)", property_get_bind_paths, 0, > SD_BUS_VTABLE_PROPERTY_CONST), > + SD_BUS_PROPERTY("BindReadOnlyPaths", "a(ssbt)", > property_get_bind_paths, 0, SD_BUS_VTABLE_PROPERTY_CONST), > +@@ -1127,6 +1128,9 @@ int bus_exec_context_set_transient_property( > + if (streq(name, "RestrictRealtime")) > + return bus_set_transient_bool(u, name, > &c->restrict_realtime, message, flags, error); > + > ++ if (streq(name, "RestrictSUIDSGID")) > ++ return bus_set_transient_bool(u, name, > &c->restrict_suid_sgid, message, flags, error); > ++ > + if (streq(name, "DynamicUser")) > + return bus_set_transient_bool(u, name, &c->dynamic_user, > message, flags, error); > + > +diff --git a/src/core/execute.c b/src/core/execute.c > +index 8ac69d1a0f..e7f78f7f32 100644 > +--- a/src/core/execute.c > ++++ b/src/core/execute.c > +@@ -1366,6 +1366,7 @@ static bool context_has_no_new_privileges(const > ExecContext *c) { > + return context_has_address_families(c) || > + c->memory_deny_write_execute || > + c->restrict_realtime || > ++ c->restrict_suid_sgid || > + exec_context_restrict_namespaces_set(c) || > + c->protect_kernel_tunables || > + c->protect_kernel_modules || > +@@ -1470,6 +1471,19 @@ static int apply_restrict_realtime(const Unit* u, > const ExecContext *c) { > + return seccomp_restrict_realtime(); > + } > + > ++static int apply_restrict_suid_sgid(const Unit* u, const ExecContext *c) { > ++ assert(u); > ++ assert(c); > ++ > ++ if (!c->restrict_suid_sgid) > ++ return 0; > ++ > ++ if (skip_seccomp_unavailable(u, "RestrictSUIDSGID=")) > ++ return 0; > ++ > ++ return seccomp_restrict_suid_sgid(); > ++} > ++ > + static int apply_protect_sysctl(const Unit *u, const ExecContext *c) { > + assert(u); > + assert(c); > +@@ -3331,6 +3345,12 @@ static int exec_child( > + return log_unit_error_errno(unit, r, "Failed to > apply realtime restrictions: %m"); > + } > + > ++ r = apply_restrict_suid_sgid(unit, context); > ++ if (r < 0) { > ++ *exit_status = EXIT_SECCOMP; > ++ return log_unit_error_errno(unit, r, "Failed to > apply SUID/SGID restrictions: %m"); > ++ } > ++ > + r = apply_restrict_namespaces(unit, context); > + if (r < 0) { > + *exit_status = EXIT_SECCOMP; > +@@ -3920,6 +3940,7 @@ void exec_context_dump(const ExecContext *c, FILE* f, > const char *prefix) { > + "%sIgnoreSIGPIPE: %s\n" > + "%sMemoryDenyWriteExecute: %s\n" > + "%sRestrictRealtime: %s\n" > ++ "%sRestrictSUIDSGID: %s\n" > + "%sKeyringMode: %s\n", > + prefix, c->umask, > + prefix, c->working_directory ? c->working_directory : "/", > +@@ -3938,6 +3959,7 @@ void exec_context_dump(const ExecContext *c, FILE* f, > const char *prefix) { > + prefix, yes_no(c->ignore_sigpipe), > + prefix, yes_no(c->memory_deny_write_execute), > + prefix, yes_no(c->restrict_realtime), > ++ prefix, yes_no(c->restrict_suid_sgid), > + prefix, exec_keyring_mode_to_string(c->keyring_mode)); > + > + if (c->root_image) > +diff --git a/src/core/execute.h b/src/core/execute.h > +index 77ffe82323..e6319cee8a 100644 > +--- a/src/core/execute.h > ++++ b/src/core/execute.h > +@@ -260,6 +260,7 @@ struct ExecContext { > + > + bool memory_deny_write_execute; > + bool restrict_realtime; > ++ bool restrict_suid_sgid; > + > + bool oom_score_adjust_set:1; > + bool nice_set:1; > +diff --git a/src/core/load-fragment-gperf.gperf.m4 > b/src/core/load-fragment-gperf.gperf.m4 > +index 15fb47838c..692edcb101 100644 > +--- a/src/core/load-fragment-gperf.gperf.m4 > ++++ b/src/core/load-fragment-gperf.gperf.m4 > +@@ -72,6 +72,7 @@ $1.SystemCallErrorNumber, > config_parse_syscall_errno, 0, > + $1.MemoryDenyWriteExecute, config_parse_bool, 0, > offsetof($1, exec_context.memory_deny_write_execute) > + $1.RestrictNamespaces, config_parse_restrict_namespaces, 0, > offsetof($1, exec_context) > + $1.RestrictRealtime, config_parse_bool, 0, > offsetof($1, exec_context.restrict_realtime) > ++$1.RestrictSUIDSGID, config_parse_bool, 0, > offsetof($1, exec_context.restrict_suid_sgid) > + $1.RestrictAddressFamilies, config_parse_address_families, 0, > offsetof($1, exec_context) > + $1.LockPersonality, config_parse_bool, 0, > offsetof($1, exec_context.lock_personality)', > + `$1.SystemCallFilter, config_parse_warn_compat, > DISABLED_CONFIGURATION, 0 > +@@ -80,6 +81,7 @@ $1.SystemCallErrorNumber, config_parse_warn_compat, > DISABLED_CO > + $1.MemoryDenyWriteExecute, config_parse_warn_compat, > DISABLED_CONFIGURATION, 0 > + $1.RestrictNamespaces, config_parse_warn_compat, > DISABLED_CONFIGURATION, 0 > + $1.RestrictRealtime, config_parse_warn_compat, > DISABLED_CONFIGURATION, 0 > ++$1.RestrictSUIDSGID, config_parse_warn_compat, > DISABLED_CONFIGURATION, 0 > + $1.RestrictAddressFamilies, config_parse_warn_compat, > DISABLED_CONFIGURATION, 0 > + $1.LockPersonality, config_parse_warn_compat, > DISABLED_CONFIGURATION, 0') > + $1.LimitCPU, config_parse_rlimit, > RLIMIT_CPU, offsetof($1, exec_context.rlimit) > +diff --git a/src/shared/bus-unit-util.c b/src/shared/bus-unit-util.c > +index 3238b442c0..c2f9720c33 100644 > +--- a/src/shared/bus-unit-util.c > ++++ b/src/shared/bus-unit-util.c > +@@ -692,12 +692,12 @@ static int bus_append_execute_property(sd_bus_message > *m, const char *field, con > + return bus_append_string(m, field, eq); > + > + if (STR_IN_SET(field, > +- "IgnoreSIGPIPE", "TTYVHangup", "TTYReset", > "TTYVTDisallocate", > +- "PrivateTmp", "PrivateDevices", "PrivateNetwork", > "PrivateUsers", > +- "PrivateMounts", "NoNewPrivileges", > "SyslogLevelPrefix", > +- "MemoryDenyWriteExecute", "RestrictRealtime", > "DynamicUser", "RemoveIPC", > +- "ProtectKernelTunables", "ProtectKernelModules", > "ProtectControlGroups", > +- "MountAPIVFS", "CPUSchedulingResetOnFork", > "LockPersonality")) > ++ "IgnoreSIGPIPE", "TTYVHangup", "TTYReset", > "TTYVTDisallocate", "PrivateTmp", > ++ "PrivateDevices", "PrivateNetwork", "PrivateUsers", > "PrivateMounts", > ++ "NoNewPrivileges", "SyslogLevelPrefix", > "MemoryDenyWriteExecute", "RestrictRealtime", > ++ "DynamicUser", "RemoveIPC", "ProtectKernelTunables", > "ProtectKernelModules", > ++ "ProtectControlGroups", "MountAPIVFS", > "CPUSchedulingResetOnFork", "LockPersonality", > ++ "ProtectHostname", "RestrictSUIDSGID")) > + > + return bus_append_parse_boolean(m, field, eq); > + > +diff --git a/test/fuzz-corpus/unit-file/directives.service > b/test/fuzz-corpus/unit-file/directives.service > +index b35325fb6f..ad6cd8d712 100644 > +--- a/test/fuzz-corpus/unit-file/directives.service > ++++ b/test/fuzz-corpus/unit-file/directives.service > +@@ -848,6 +848,7 @@ ReserveVT= > + RestrictAddressFamilies= > + RestrictNamespaces= > + RestrictRealtime= > ++RestrictSUIDSGID= > + RuntimeDirectory= > + RuntimeDirectoryMode= > + RuntimeDirectoryPreserve= > +-- > +2.23.0 > + > diff --git a/meta/recipes-core/systemd/systemd/CVE-2019-3843_p3.patch > b/meta/recipes-core/systemd/systemd/CVE-2019-3843_p3.patch > new file mode 100644 > index 0000000000..586b4118bf > --- /dev/null > +++ b/meta/recipes-core/systemd/systemd/CVE-2019-3843_p3.patch > @@ -0,0 +1,90 @@ > +From cd8496795c104c7e557f2d9207f75b896465dbee Mon Sep 17 00:00:00 2001 > +From: Lennart Poettering <[email protected]> > +Date: Wed, 20 Mar 2019 19:45:32 +0100 > +Subject: [PATCH] man: document the new RestrictSUIDSGID= setting > +Reply-To: [email protected] > + > +Signed-off-by: Muminul Islam <[email protected]> > + > +CVE: CVE-2019-3843 > +Upstream-Status: Backport > +Upstream Commit: > https://github.com/systemd/systemd/commit/7445db6eb70e8d5989f481d0c5a08ace7047ae5b > +--- > + doc/TRANSIENT-SETTINGS.md | 1 + > + man/systemd.exec.xml | 41 +++++++++++++++++++++++++++------------ > + 2 files changed, 30 insertions(+), 12 deletions(-) > + > +diff --git a/doc/TRANSIENT-SETTINGS.md b/doc/TRANSIENT-SETTINGS.md > +index ca9e8387b7..20c70a05f9 100644 > +--- a/doc/TRANSIENT-SETTINGS.md > ++++ b/doc/TRANSIENT-SETTINGS.md > +@@ -147,6 +147,7 @@ All execution-related settings are available for > transient units. > + ✓ MemoryDenyWriteExecute= > + ✓ RestrictNamespaces= > + ✓ RestrictRealtime= > ++✓ RestrictSUIDSGID= > + ✓ RestrictAddressFamilies= > + ✓ LockPersonality= > + ✓ LimitCPU= > +diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml > +index 3bd790b485..2bdbc0608e 100644 > +--- a/man/systemd.exec.xml > ++++ b/man/systemd.exec.xml > +@@ -348,18 +348,19 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting> > + <varlistentry> > + <term><varname>NoNewPrivileges=</varname></term> > + > +- <listitem><para>Takes a boolean argument. If true, ensures that the > service process and all its children can > +- never gain new privileges through <function>execve()</function> > (e.g. via setuid or setgid bits, or filesystem > +- capabilities). This is the simplest and most effective way to > ensure that a process and its children can never > +- elevate privileges again. Defaults to false, but certain settings > override this and ignore the value of this > +- setting. This is the case when > <varname>SystemCallFilter=</varname>, > +- <varname>SystemCallArchitectures=</varname>, > <varname>RestrictAddressFamilies=</varname>, > +- <varname>RestrictNamespaces=</varname>, > <varname>PrivateDevices=</varname>, > +- <varname>ProtectKernelTunables=</varname>, > <varname>ProtectKernelModules=</varname>, > +- <varname>MemoryDenyWriteExecute=</varname>, > <varname>RestrictRealtime=</varname>, or > +- <varname>LockPersonality=</varname> are specified. Note that even > if this setting is overridden by them, > +- <command>systemctl show</command> shows the original value of this > setting. Also see > +- <ulink > url="https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html";>No > New Privileges > ++ <listitem><para>Takes a boolean argument. If true, ensures that the > service process and all its > ++ children can never gain new privileges through > <function>execve()</function> (e.g. via setuid or > ++ setgid bits, or filesystem capabilities). This is the simplest and > most effective way to ensure that > ++ a process and its children can never elevate privileges again. > Defaults to false, but certain > ++ settings override this and ignore the value of this setting. This > is the case when > ++ <varname>SystemCallFilter=</varname>, > <varname>SystemCallArchitectures=</varname>, > ++ <varname>RestrictAddressFamilies=</varname>, > <varname>RestrictNamespaces=</varname>, > ++ <varname>PrivateDevices=</varname>, > <varname>ProtectKernelTunables=</varname>, > ++ <varname>ProtectKernelModules=</varname>, > <varname>MemoryDenyWriteExecute=</varname>, > ++ <varname>RestrictRealtime=</varname>, > <varname>RestrictSUIDSGID=</varname> or > ++ <varname>LockPersonality=</varname> are specified. Note that even > if this setting is overridden by > ++ them, <command>systemctl show</command> shows the original value of > this setting. Also see <ulink > ++ > url="https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html";>No > New Privileges > + Flag</ulink>. </para></listitem> > + </varlistentry> > + > +@@ -1252,6 +1253,22 @@ RestrictNamespaces=~cgroup net</programlisting> > + that actually require them. Defaults to off.</para></listitem> > + </varlistentry> > + > ++ <varlistentry> > ++ <term><varname>RestrictSUIDSGID=</varname></term> > ++ > ++ <listitem><para>Takes a boolean argument. If set, any attempts to > set the set-user-ID (SUID) or > ++ set-group-ID (SGID) bits on files or directories will be denied > (for details on these bits see > ++ <citerefentry > ++ > project='man-pages'><refentrytitle>inode</refentrytitle><manvolnum>7</manvolnum></citerefentry>). > If > ++ running in user mode, or in system mode, but without the > <constant>CAP_SYS_ADMIN</constant> > ++ capability (e.g. setting <varname>User=</varname>), > <varname>NoNewPrivileges=yes</varname> is > ++ implied. As the SUID/SGID bits are mechanisms to elevate > privileges, and allows users to acquire the > ++ identity of other users, it is recommended to restrict creation of > SUID/SGID files to the few > ++ programs that actually require them. Note that this restricts > marking of any type of file system > ++ object with these bits, including both regular files and > directories (where the SGID is a different > ++ meaning than for files, see documentation). Defaults to > off.</para></listitem> > ++ </varlistentry> > ++ > + <varlistentry> > + <term><varname>RemoveIPC=</varname></term> > + > +-- > +2.23.0 > + > diff --git a/meta/recipes-core/systemd/systemd/CVE-2019-3843_p4.patch > b/meta/recipes-core/systemd/systemd/CVE-2019-3843_p4.patch > new file mode 100644 > index 0000000000..ae2d8f7999 > --- /dev/null > +++ b/meta/recipes-core/systemd/systemd/CVE-2019-3843_p4.patch > @@ -0,0 +1,163 @@ > +From a331bccfacc286c8f8d75544548a47d098c9d580 Mon Sep 17 00:00:00 2001 > +From: Lennart Poettering <[email protected]> > +Date: Wed, 20 Mar 2019 19:52:20 +0100 > +Subject: [PATCH] units: turn on RestrictSUIDSGID= in most of our long-running > + daemons > +Reply-To: [email protected] > + > +Signed-off-by: Muminul Islam <[email protected]> > +CVE: CVE-2019-3843 > +Upstream-Status: Backport > +Upstream Commit: > https://github.com/systemd/systemd/commit/62aa29247c3d74bcec0607c347f2be23cd90675d > +--- > + units/[email protected] | 1 + > + units/systemd-hostnamed.service.in | 1 + > + units/systemd-journal-remote.service.in | 1 + > + units/systemd-journald.service.in | 1 + > + units/systemd-localed.service.in | 1 + > + units/systemd-logind.service.in | 1 + > + units/systemd-networkd.service.in | 1 + > + units/systemd-resolved.service.in | 1 + > + units/systemd-timedated.service.in | 1 + > + units/systemd-timesyncd.service.in | 1 + > + units/systemd-udevd.service.in | 3 ++- > + 11 files changed, 12 insertions(+), 1 deletion(-) > + > +diff --git a/units/[email protected] > b/units/[email protected] > +index 215696ecd1..08ecedbe56 100644 > +--- a/units/[email protected] > ++++ b/units/[email protected] > +@@ -31,6 +31,7 @@ ProtectKernelTunables=yes > + ProtectKernelModules=yes > + MemoryDenyWriteExecute=yes > + RestrictRealtime=yes > ++RestrictSUIDSGID=yes > + RestrictNamespaces=yes > + RestrictAddressFamilies=AF_UNIX > + SystemCallFilter=@system-service > +diff --git a/units/systemd-hostnamed.service.in > b/units/systemd-hostnamed.service.in > +index da74b4fe8b..a6e07781ce 100644 > +--- a/units/systemd-hostnamed.service.in > ++++ b/units/systemd-hostnamed.service.in > +@@ -27,6 +27,7 @@ ProtectKernelTunables=yes > + ProtectKernelModules=yes > + MemoryDenyWriteExecute=yes > + RestrictRealtime=yes > ++RestrictSUIDSGID=yes > + RestrictNamespaces=yes > + RestrictAddressFamilies=AF_UNIX > + SystemCallFilter=@system-service sethostname > +diff --git a/units/systemd-journal-remote.service.in > b/units/systemd-journal-remote.service.in > +index a94265f215..05a166f587 100644 > +--- a/units/systemd-journal-remote.service.in > ++++ b/units/systemd-journal-remote.service.in > +@@ -26,6 +26,7 @@ ProtectKernelTunables=yes > + ProtectKernelModules=yes > + MemoryDenyWriteExecute=yes > + RestrictRealtime=yes > ++RestrictSUIDSGID=yes > + RestrictNamespaces=yes > + RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 > + SystemCallArchitectures=native > +diff --git a/units/systemd-journald.service.in > b/units/systemd-journald.service.in > +index 52939e6820..ad7d979d1c 100644 > +--- a/units/systemd-journald.service.in > ++++ b/units/systemd-journald.service.in > +@@ -27,6 +27,7 @@ FileDescriptorStoreMax=4224 > + CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE > CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH > CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE > + MemoryDenyWriteExecute=yes > + RestrictRealtime=yes > ++RestrictSUIDSGID=yes > + RestrictNamespaces=yes > + RestrictAddressFamilies=AF_UNIX AF_NETLINK > + SystemCallFilter=@system-service > +diff --git a/units/systemd-localed.service.in > b/units/systemd-localed.service.in > +index a24e61a0cd..a9f3ab8c6e 100644 > +--- a/units/systemd-localed.service.in > ++++ b/units/systemd-localed.service.in > +@@ -27,6 +27,7 @@ ProtectKernelTunables=yes > + ProtectKernelModules=yes > + MemoryDenyWriteExecute=yes > + RestrictRealtime=yes > ++RestrictSUIDSGID=yes > + RestrictNamespaces=yes > + RestrictAddressFamilies=AF_UNIX > + SystemCallFilter=@system-service > +diff --git a/units/systemd-logind.service.in > b/units/systemd-logind.service.in > +index 5e090bcf23..af28364bbf 100644 > +--- a/units/systemd-logind.service.in > ++++ b/units/systemd-logind.service.in > +@@ -28,6 +28,7 @@ WatchdogSec=3min > + CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL > CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER > CAP_SYS_TTY_CONFIG > + MemoryDenyWriteExecute=yes > + RestrictRealtime=yes > ++RestrictSUIDSGID=yes > + RestrictNamespaces=yes > + RestrictAddressFamilies=AF_UNIX AF_NETLINK > + SystemCallFilter=@system-service > +diff --git a/units/systemd-networkd.service.in > b/units/systemd-networkd.service.in > +index 371ab3a9cf..dd42baf610 100644 > +--- a/units/systemd-networkd.service.in > ++++ b/units/systemd-networkd.service.in > +@@ -33,6 +33,7 @@ ProtectControlGroups=yes > + ProtectKernelModules=yes > + MemoryDenyWriteExecute=yes > + RestrictRealtime=yes > ++RestrictSUIDSGID=yes > + RestrictNamespaces=yes > + RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET > + SystemCallFilter=@system-service > +diff --git a/units/systemd-resolved.service.in > b/units/systemd-resolved.service.in > +index 9982ecebff..49444298ee 100644 > +--- a/units/systemd-resolved.service.in > ++++ b/units/systemd-resolved.service.in > +@@ -36,6 +36,7 @@ ProtectKernelTunables=yes > + ProtectKernelModules=yes > + MemoryDenyWriteExecute=yes > + RestrictRealtime=yes > ++RestrictSUIDSGID=yes > + RestrictNamespaces=yes > + RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 > + SystemCallFilter=@system-service > +diff --git a/units/systemd-timedated.service.in > b/units/systemd-timedated.service.in > +index 906bb4326c..7c210a6b16 100644 > +--- a/units/systemd-timedated.service.in > ++++ b/units/systemd-timedated.service.in > +@@ -25,6 +25,7 @@ ProtectKernelTunables=yes > + ProtectKernelModules=yes > + MemoryDenyWriteExecute=yes > + RestrictRealtime=yes > ++RestrictSUIDSGID=yes > + RestrictNamespaces=yes > + RestrictAddressFamilies=AF_UNIX > + SystemCallFilter=@system-service @clock > +diff --git a/units/systemd-timesyncd.service.in > b/units/systemd-timesyncd.service.in > +index 4a490b6e16..8f614193ce 100644 > +--- a/units/systemd-timesyncd.service.in > ++++ b/units/systemd-timesyncd.service.in > +@@ -35,6 +35,7 @@ ProtectKernelTunables=yes > + ProtectKernelModules=yes > + MemoryDenyWriteExecute=yes > + RestrictRealtime=yes > ++RestrictSUIDSGID=yes > + RestrictNamespaces=yes > + RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 > + RuntimeDirectory=systemd/timesync > +diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in > +index 6a3814e5d9..aa81dc5fbc 100644 > +--- a/units/systemd-udevd.service.in > ++++ b/units/systemd-udevd.service.in > +@@ -27,8 +27,9 @@ WatchdogSec=3min > + TasksMax=infinity > + PrivateMounts=yes > + MemoryDenyWriteExecute=yes > +-RestrictRealtime=yes > + RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 > ++RestrictRealtime=yes > ++RestrictSUIDSGID=yes > + SystemCallFilter=@system-service @module @raw-io > + SystemCallErrorNumber=EPERM > + SystemCallArchitectures=native > +-- > +2.23.0 > + > diff --git a/meta/recipes-core/systemd/systemd/CVE-2019-3844.patch > b/meta/recipes-core/systemd/systemd/CVE-2019-3844.patch > new file mode 100644 > index 0000000000..721268e741 > --- /dev/null > +++ b/meta/recipes-core/systemd/systemd/CVE-2019-3844.patch > @@ -0,0 +1,96 @@ > +From 31bc7e4ce2ee4757663c13ed3f98f8fb90c57fd1 Mon Sep 17 00:00:00 2001 > +From: Lennart Poettering <[email protected]> > +Date: Wed, 20 Mar 2019 20:19:38 +0100 > +Subject: [PATCH] core: imply NNP and SUID/SGID restriction for > DynamicUser=yes > + service > +Reply-To: [email protected] > + > +Let's be safe, rather than sorry. This way DynamicUser=yes services can > +neither take benefit of, nor create SUID/SGID binaries. > + > +Given that DynamicUser= is a recent addition only we should be able to > +get away with turning this on, even though this is strictly speaking a > +binary compatibility breakage. > + > +Signed-off-by: Muminul Islam <[email protected]> > + > +CVE: CVE-2019-3844 > +Upstream-Status: Backport > +Upstream Commit: > https://github.com/systemd/systemd/commit/bf65b7e0c9fc215897b676ab9a7c9d1c688143ba > +--- > + man/systemd.exec.xml | 16 ++++++++++------ > + src/core/unit.c | 10 ++++++++-- > + 2 files changed, 18 insertions(+), 8 deletions(-) > + > +diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml > +index 2bdbc0608e..b02fff4ec8 100644 > +--- a/man/systemd.exec.xml > ++++ b/man/systemd.exec.xml > +@@ -229,7 +229,9 @@ > + created by the executed processes is bound to the runtime of the > service, and hence the lifetime of the dynamic > + user/group. Since <filename>/tmp</filename> and > <filename>/var/tmp</filename> are usually the only > + world-writable directories on a system this ensures that a unit > making use of dynamic user/group allocation > +- cannot leave files around after unit termination. Moreover > <varname>ProtectSystem=strict</varname> and > ++ cannot leave files around after unit termination. Furthermore > <varname>NoNewPrivileges=</varname> and > ++ <varname>RestrictSUIDSGID=</varname> are implicitly enabled to > ensure that processes invoked cannot take benefit or create SUID/SGID files > ++ or directories Moreover <varname>ProtectSystem=strict</varname> and > + <varname>ProtectHome=read-only</varname> are implied, thus > prohibiting the service to write to arbitrary file > + system locations. In order to allow the service to write to certain > directories, they have to be whitelisted > + using <varname>ReadWritePaths=</varname>, but care must be taken so > that UID/GID recycling doesn't create > +@@ -357,11 +359,12 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting> > + <varname>RestrictAddressFamilies=</varname>, > <varname>RestrictNamespaces=</varname>, > + <varname>PrivateDevices=</varname>, > <varname>ProtectKernelTunables=</varname>, > + <varname>ProtectKernelModules=</varname>, > <varname>MemoryDenyWriteExecute=</varname>, > +- <varname>RestrictRealtime=</varname>, > <varname>RestrictSUIDSGID=</varname> or > +- <varname>LockPersonality=</varname> are specified. Note that even > if this setting is overridden by > +- them, <command>systemctl show</command> shows the original value of > this setting. Also see <ulink > ++ <varname>RestrictRealtime=</varname>, > <varname>RestrictSUIDSGID=</varname>, > ++ <varname>DynamicUser=</varname> or > <varname>LockPersonality=</varname> are specified. Note that even > ++ if this setting is overridden by them, <command>systemctl > show</command> shows the original value of > ++ this setting. Also see <ulink > + > url="https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html";>No > New Privileges > +- Flag</ulink>. </para></listitem> > ++ Flag</ulink>.</para></listitem> > + </varlistentry> > + > + <varlistentry> > +@@ -1266,7 +1269,8 @@ RestrictNamespaces=~cgroup net</programlisting> > + identity of other users, it is recommended to restrict creation of > SUID/SGID files to the few > + programs that actually require them. Note that this restricts > marking of any type of file system > + object with these bits, including both regular files and > directories (where the SGID is a different > +- meaning than for files, see documentation). Defaults to > off.</para></listitem> > ++ meaning than for files, see documentation). This option is implied > if <varname>DynamicUser=</varname> > ++ is enabled. Defaults to off.</para></listitem> > + </varlistentry> > + > + <varlistentry> > +diff --git a/src/core/unit.c b/src/core/unit.c > +index a3556cc5ec..55b29c8447 100644 > +--- a/src/core/unit.c > ++++ b/src/core/unit.c > +@@ -4133,14 +4133,20 @@ int unit_patch_contexts(Unit *u) { > + return -ENOMEM; > + } > + > +- /* If the dynamic user option is on, let's make > sure that the unit can't leave its UID/GID > +- * around in the file system or on IPC objects. > Hence enforce a strict sandbox. */ > ++ /* If the dynamic user option is on, let's make > sure that the unit can't leave its > ++ * UID/GID around in the file system or on IPC > objects. Hence enforce a strict > ++ * sandbox. */ > + > + ec->private_tmp = true; > + ec->remove_ipc = true; > + ec->protect_system = PROTECT_SYSTEM_STRICT; > + if (ec->protect_home == PROTECT_HOME_NO) > + ec->protect_home = PROTECT_HOME_READ_ONLY; > ++ > ++ /* Make sure this service can neither benefit from > SUID/SGID binaries nor create > ++ * them. */ > ++ ec->no_new_privileges = true; > ++ ec->restrict_suid_sgid = true; > + } > + } > + > +-- > +2.23.0 > + > diff --git a/meta/recipes-core/systemd/systemd_239.bb > b/meta/recipes-core/systemd/systemd_239.bb > index 7fbd64ced7..2bc51cee2c 100644 > --- a/meta/recipes-core/systemd/systemd_239.bb > +++ b/meta/recipes-core/systemd/systemd_239.bb > @@ -43,6 +43,12 @@ SRC_URI += "file://touchscreen.rules \ > file://0026-journal-fix-out-of-bounds-read-CVE-2018-16866.patch \ > file://CVE-2019-6454.patch \ > file://sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch > \ > + file://CVE-2019-3842.patch \ > + file://CVE-2019-3843_p1.patch \ > + file://CVE-2019-3843_p2.patch \ > + file://CVE-2019-3843_p3.patch \ > + file://CVE-2019-3843_p4.patch \ > + file://CVE-2019-3842.patch \ > " > > # patches made for musl are only applied on TCLIBC is musl >
-- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
