[OE-core] [thud][PATCH] systemd: Security fixes for CVE
akuster808
akuster808 at gmail.com
Fri Oct 25 15:58:11 UTC 2019
On 10/16/19 2:16 PM, Muminul Islam wrote:
> CVE: CVE-2019-3842 CVE-2019-3843 CVE-2019-3844
>
> Upstream-Status: Backport
Warrior needs these fixes before thud mainline can be fixed.
- armin
>
> Signed-off-by: Muminul Islam <muislam at microsoft.com>
> ---
> .../systemd/systemd/CVE-2019-3842.patch | 59 +++++
> .../systemd/systemd/CVE-2019-3843_p1.patch | 227 ++++++++++++++++++
> .../systemd/systemd/CVE-2019-3843_p2.patch | 174 ++++++++++++++
> .../systemd/systemd/CVE-2019-3843_p3.patch | 90 +++++++
> .../systemd/systemd/CVE-2019-3843_p4.patch | 163 +++++++++++++
> .../systemd/systemd/CVE-2019-3844.patch | 96 ++++++++
> meta/recipes-core/systemd/systemd_239.bb | 6 +
> 7 files changed, 815 insertions(+)
> create mode 100644 meta/recipes-core/systemd/systemd/CVE-2019-3842.patch
> create mode 100644 meta/recipes-core/systemd/systemd/CVE-2019-3843_p1.patch
> create mode 100644 meta/recipes-core/systemd/systemd/CVE-2019-3843_p2.patch
> create mode 100644 meta/recipes-core/systemd/systemd/CVE-2019-3843_p3.patch
> create mode 100644 meta/recipes-core/systemd/systemd/CVE-2019-3843_p4.patch
> create mode 100644 meta/recipes-core/systemd/systemd/CVE-2019-3844.patch
>
> diff --git a/meta/recipes-core/systemd/systemd/CVE-2019-3842.patch b/meta/recipes-core/systemd/systemd/CVE-2019-3842.patch
> new file mode 100644
> index 0000000000..c58914b5b3
> --- /dev/null
> +++ b/meta/recipes-core/systemd/systemd/CVE-2019-3842.patch
> @@ -0,0 +1,59 @@
> +From 7ee4ae8c15bd9cc3d60000f9a4b684ea608cabc6 Mon Sep 17 00:00:00 2001
> +From: Lennart Poettering <lennart at poettering.net>
> +Date: Mon, 4 Feb 2019 10:23:43 +0100
> +Subject: [PATCH] pam-systemd: use secure_getenv() rather than getenv()
> +Reply-To: muislam at microsoft.com
> +
> +And explain why in a comment.
> +
> +Signed-off-by: Muminul Islam <muislam at microsoft.com>
> +
> +CVE: CVE-2019-3842
> +
> +Upstream-Status: Backport
> +
> +Upstream commit: https://github.com/systemd/systemd/commit/83d4ab55336ff8a0643c6aa627b31e351a24040a
> +---
> + src/login/pam_systemd.c | 10 +++++-----
> + 1 file changed, 5 insertions(+), 5 deletions(-)
> +
> +diff --git a/src/login/pam_systemd.c b/src/login/pam_systemd.c
> +index 1fbf6ba585..3ecb34425d 100644
> +--- a/src/login/pam_systemd.c
> ++++ b/src/login/pam_systemd.c
> +@@ -354,27 +354,27 @@ _public_ PAM_EXTERN int pam_sm_open_session(
> +
> + seat = pam_getenv(handle, "XDG_SEAT");
> + if (isempty(seat))
> +- seat = getenv("XDG_SEAT");
> ++ seat = secure_getenv("XDG_SEAT");
> +
> + cvtnr = pam_getenv(handle, "XDG_VTNR");
> + if (isempty(cvtnr))
> +- cvtnr = getenv("XDG_VTNR");
> ++ cvtnr = secure_getenv("XDG_VTNR");
> +
> + type = pam_getenv(handle, "XDG_SESSION_TYPE");
> + if (isempty(type))
> +- type = getenv("XDG_SESSION_TYPE");
> ++ type = secure_getenv("XDG_SESSION_TYPE");
> + if (isempty(type))
> + type = type_pam;
> +
> + class = pam_getenv(handle, "XDG_SESSION_CLASS");
> + if (isempty(class))
> +- class = getenv("XDG_SESSION_CLASS");
> ++ class = secure_getenv("XDG_SESSION_CLASS");
> + if (isempty(class))
> + class = class_pam;
> +
> + desktop = pam_getenv(handle, "XDG_SESSION_DESKTOP");
> + if (isempty(desktop))
> +- desktop = getenv("XDG_SESSION_DESKTOP");
> ++ desktop = secure_getenv("XDG_SESSION_DESKTOP");
> +
> + tty = strempty(tty);
> +
> +--
> +2.23.0
> +
> diff --git a/meta/recipes-core/systemd/systemd/CVE-2019-3843_p1.patch b/meta/recipes-core/systemd/systemd/CVE-2019-3843_p1.patch
> new file mode 100644
> index 0000000000..a0646dd54e
> --- /dev/null
> +++ b/meta/recipes-core/systemd/systemd/CVE-2019-3843_p1.patch
> @@ -0,0 +1,227 @@
> +From 63788571a48adec4a0fed9d1d8993f867d1c1a1d Mon Sep 17 00:00:00 2001
> +From: Lennart Poettering <lennart at poettering.net>
> +Date: Wed, 20 Mar 2019 19:00:28 +0100
> +Subject: [PATCH] seccomp: introduce seccomp_restrict_suid_sgid() for blocking
> + chmod() for suid/sgid files
> +Reply-To: muislam at microsoft.com
> +
> +Signed-off-by: Muminul Islam <muislam at microsoft.com>
> +
> +CVE: CVE-2019-3843
> +Upstream-Status: Backport
> +
> +Upstream commit: https://github.com/systemd/systemd/commit/3c27973b13724ede05a06a5d346a569794cda433
> +---
> + src/shared/seccomp-util.c | 173 ++++++++++++++++++++++++++++++++++++++
> + src/shared/seccomp-util.h | 1 +
> + 2 files changed, 174 insertions(+)
> +
> +diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
> +index c433cb90dc..e9632d703e 100644
> +--- a/src/shared/seccomp-util.c
> ++++ b/src/shared/seccomp-util.c
> +@@ -1,12 +1,14 @@
> + /* SPDX-License-Identifier: LGPL-2.1+ */
> +
> + #include <errno.h>
> ++#include <fcntl.h>
> + #include <linux/seccomp.h>
> + #include <seccomp.h>
> + #include <stddef.h>
> + #include <sys/mman.h>
> + #include <sys/prctl.h>
> + #include <sys/shm.h>
> ++#include <sys/stat.h>
> +
> + #include "af-list.h"
> + #include "alloc-util.h"
> +@@ -1742,3 +1744,174 @@ int seccomp_lock_personality(unsigned long personality) {
> +
> + return 0;
> + }
> ++
> ++int seccomp_protect_hostname(void) {
> ++ uint32_t arch;
> ++ int r;
> ++
> ++ SECCOMP_FOREACH_LOCAL_ARCH(arch) {
> ++ _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
> ++
> ++ r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW);
> ++ if (r < 0)
> ++ return r;
> ++
> ++ r = seccomp_rule_add_exact(
> ++ seccomp,
> ++ SCMP_ACT_ERRNO(EPERM),
> ++ SCMP_SYS(sethostname),
> ++ 0);
> ++ if (r < 0) {
> ++ log_debug_errno(r, "Failed to add sethostname() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
> ++ continue;
> ++ }
> ++
> ++ r = seccomp_rule_add_exact(
> ++ seccomp,
> ++ SCMP_ACT_ERRNO(EPERM),
> ++ SCMP_SYS(setdomainname),
> ++ 0);
> ++ if (r < 0) {
> ++ log_debug_errno(r, "Failed to add setdomainname() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
> ++ continue;
> ++ }
> ++
> ++ r = seccomp_load(seccomp);
> ++ if (IN_SET(r, -EPERM, -EACCES))
> ++ return r;
> ++ if (r < 0)
> ++ log_debug_errno(r, "Failed to apply hostname restrictions for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
> ++ }
> ++
> ++ return 0;
> ++}
> ++
> ++int seccomp_restrict_suid_sgid(void) {
> ++ uint32_t arch;
> ++ int r;
> ++
> ++ SECCOMP_FOREACH_LOCAL_ARCH(arch) {
> ++ _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
> ++
> ++ r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW);
> ++ if (r < 0)
> ++ return r;
> ++
> ++ /* Checks the mode_t parameter of the following system calls:
> ++ *
> ++ * → chmod() + fchmod() + fchmodat()
> ++ * → open() + creat() + openat()
> ++ * → mkdir() + mkdirat()
> ++ * → mknod() + mknodat()
> ++ */
> ++
> ++ for (unsigned bit = 0; bit < 2; bit ++) {
> ++ /* Block S_ISUID in the first iteration, S_ISGID in the second */
> ++ mode_t m = bit == 0 ? S_ISUID : S_ISGID;
> ++
> ++ r = seccomp_rule_add_exact(
> ++ seccomp,
> ++ SCMP_ACT_ERRNO(EPERM),
> ++ SCMP_SYS(chmod),
> ++ 1,
> ++ SCMP_A1(SCMP_CMP_MASKED_EQ, m, m));
> ++ if (r < 0)
> ++ break;
> ++
> ++ r = seccomp_rule_add_exact(
> ++ seccomp,
> ++ SCMP_ACT_ERRNO(EPERM),
> ++ SCMP_SYS(fchmod),
> ++ 1,
> ++ SCMP_A1(SCMP_CMP_MASKED_EQ, m, m));
> ++ if (r < 0)
> ++ break;
> ++
> ++ r = seccomp_rule_add_exact(
> ++ seccomp,
> ++ SCMP_ACT_ERRNO(EPERM),
> ++ SCMP_SYS(fchmodat),
> ++ 1,
> ++ SCMP_A2(SCMP_CMP_MASKED_EQ, m, m));
> ++ if (r < 0)
> ++ break;
> ++
> ++ r = seccomp_rule_add_exact(
> ++ seccomp,
> ++ SCMP_ACT_ERRNO(EPERM),
> ++ SCMP_SYS(mkdir),
> ++ 1,
> ++ SCMP_A1(SCMP_CMP_MASKED_EQ, m, m));
> ++ if (r < 0)
> ++ break;
> ++
> ++ r = seccomp_rule_add_exact(
> ++ seccomp,
> ++ SCMP_ACT_ERRNO(EPERM),
> ++ SCMP_SYS(mkdirat),
> ++ 1,
> ++ SCMP_A2(SCMP_CMP_MASKED_EQ, m, m));
> ++ if (r < 0)
> ++ break;
> ++
> ++ r = seccomp_rule_add_exact(
> ++ seccomp,
> ++ SCMP_ACT_ERRNO(EPERM),
> ++ SCMP_SYS(mknod),
> ++ 1,
> ++ SCMP_A1(SCMP_CMP_MASKED_EQ, m, m));
> ++ if (r < 0)
> ++ break;
> ++
> ++ r = seccomp_rule_add_exact(
> ++ seccomp,
> ++ SCMP_ACT_ERRNO(EPERM),
> ++ SCMP_SYS(mknodat),
> ++ 1,
> ++ SCMP_A2(SCMP_CMP_MASKED_EQ, m, m));
> ++ if (r < 0)
> ++ break;
> ++
> ++ r = seccomp_rule_add_exact(
> ++ seccomp,
> ++ SCMP_ACT_ERRNO(EPERM),
> ++ SCMP_SYS(open),
> ++ 2,
> ++ SCMP_A1(SCMP_CMP_MASKED_EQ, O_CREAT, O_CREAT),
> ++ SCMP_A2(SCMP_CMP_MASKED_EQ, m, m));
> ++ if (r < 0)
> ++ break;
> ++
> ++ r = seccomp_rule_add_exact(
> ++ seccomp,
> ++ SCMP_ACT_ERRNO(EPERM),
> ++ SCMP_SYS(openat),
> ++ 2,
> ++ SCMP_A2(SCMP_CMP_MASKED_EQ, O_CREAT, O_CREAT),
> ++ SCMP_A3(SCMP_CMP_MASKED_EQ, m, m));
> ++ if (r < 0)
> ++ break;
> ++
> ++ r = seccomp_rule_add_exact(
> ++ seccomp,
> ++ SCMP_ACT_ERRNO(EPERM),
> ++ SCMP_SYS(creat),
> ++ 1,
> ++ SCMP_A1(SCMP_CMP_MASKED_EQ, m, m));
> ++ if (r < 0)
> ++ break;
> ++ }
> ++ if (r < 0) {
> ++ log_debug_errno(r, "Failed to add suid/sgid rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
> ++ continue;
> ++ }
> ++
> ++ r = seccomp_load(seccomp);
> ++ if (IN_SET(r, -EPERM, -EACCES))
> ++ return r;
> ++ if (r < 0)
> ++ log_debug_errno(r, "Failed to apply suid/sgid restrictions for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
> ++ }
> ++
> ++ return 0;
> ++}
> +diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
> +index eac857afb9..a274333450 100644
> +--- a/src/shared/seccomp-util.h
> ++++ b/src/shared/seccomp-util.h
> +@@ -85,6 +85,7 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist);
> + int seccomp_restrict_realtime(void);
> + int seccomp_memory_deny_write_execute(void);
> + int seccomp_lock_personality(unsigned long personality);
> ++int seccomp_restrict_suid_sgid(void);
> +
> + extern const uint32_t seccomp_local_archs[];
> +
> +--
> +2.23.0
> +
> diff --git a/meta/recipes-core/systemd/systemd/CVE-2019-3843_p2.patch b/meta/recipes-core/systemd/systemd/CVE-2019-3843_p2.patch
> new file mode 100644
> index 0000000000..bf9e4cd641
> --- /dev/null
> +++ b/meta/recipes-core/systemd/systemd/CVE-2019-3843_p2.patch
> @@ -0,0 +1,174 @@
> +From 8c2b92f997255296186d3986cde04de57c652b73 Mon Sep 17 00:00:00 2001
> +From: Lennart Poettering <lennart at poettering.net>
> +Date: Wed, 20 Mar 2019 19:09:09 +0100
> +Subject: [PATCH] core: expose SUID/SGID restriction as new unit setting
> + RestrictSUIDSGID=
> +Reply-To: muislam at microsoft.com
> +
> +Signed-off-by: Muminul Islam <muislam at microsoft.com>
> +
> +CVE: CVE-2019-3843
> +Upstream-Status: Backport
> +Upstream Commit: https://github.com/systemd/systemd/commit/f69567cbe26d09eac9d387c0be0fc32c65a83ada
> +---
> + src/core/dbus-execute.c | 4 ++++
> + src/core/execute.c | 22 +++++++++++++++++++
> + src/core/execute.h | 1 +
> + src/core/load-fragment-gperf.gperf.m4 | 2 ++
> + src/shared/bus-unit-util.c | 12 +++++-----
> + test/fuzz-corpus/unit-file/directives.service | 1 +
> + 6 files changed, 36 insertions(+), 6 deletions(-)
> +
> +diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c
> +index c44970c10c..41dfb36377 100644
> +--- a/src/core/dbus-execute.c
> ++++ b/src/core/dbus-execute.c
> +@@ -769,6 +769,7 @@ const sd_bus_vtable bus_exec_vtable[] = {
> + SD_BUS_PROPERTY("ConfigurationDirectory", "as", NULL, offsetof(ExecContext, directories[EXEC_DIRECTORY_CONFIGURATION].paths), SD_BUS_VTABLE_PROPERTY_CONST),
> + SD_BUS_PROPERTY("MemoryDenyWriteExecute", "b", bus_property_get_bool, offsetof(ExecContext, memory_deny_write_execute), SD_BUS_VTABLE_PROPERTY_CONST),
> + SD_BUS_PROPERTY("RestrictRealtime", "b", bus_property_get_bool, offsetof(ExecContext, restrict_realtime), SD_BUS_VTABLE_PROPERTY_CONST),
> ++ SD_BUS_PROPERTY("RestrictSUIDSGID", "b", bus_property_get_bool, offsetof(ExecContext, restrict_suid_sgid), SD_BUS_VTABLE_PROPERTY_CONST),
> + SD_BUS_PROPERTY("RestrictNamespaces", "t", bus_property_get_ulong, offsetof(ExecContext, restrict_namespaces), SD_BUS_VTABLE_PROPERTY_CONST),
> + SD_BUS_PROPERTY("BindPaths", "a(ssbt)", property_get_bind_paths, 0, SD_BUS_VTABLE_PROPERTY_CONST),
> + SD_BUS_PROPERTY("BindReadOnlyPaths", "a(ssbt)", property_get_bind_paths, 0, SD_BUS_VTABLE_PROPERTY_CONST),
> +@@ -1127,6 +1128,9 @@ int bus_exec_context_set_transient_property(
> + if (streq(name, "RestrictRealtime"))
> + return bus_set_transient_bool(u, name, &c->restrict_realtime, message, flags, error);
> +
> ++ if (streq(name, "RestrictSUIDSGID"))
> ++ return bus_set_transient_bool(u, name, &c->restrict_suid_sgid, message, flags, error);
> ++
> + if (streq(name, "DynamicUser"))
> + return bus_set_transient_bool(u, name, &c->dynamic_user, message, flags, error);
> +
> +diff --git a/src/core/execute.c b/src/core/execute.c
> +index 8ac69d1a0f..e7f78f7f32 100644
> +--- a/src/core/execute.c
> ++++ b/src/core/execute.c
> +@@ -1366,6 +1366,7 @@ static bool context_has_no_new_privileges(const ExecContext *c) {
> + return context_has_address_families(c) ||
> + c->memory_deny_write_execute ||
> + c->restrict_realtime ||
> ++ c->restrict_suid_sgid ||
> + exec_context_restrict_namespaces_set(c) ||
> + c->protect_kernel_tunables ||
> + c->protect_kernel_modules ||
> +@@ -1470,6 +1471,19 @@ static int apply_restrict_realtime(const Unit* u, const ExecContext *c) {
> + return seccomp_restrict_realtime();
> + }
> +
> ++static int apply_restrict_suid_sgid(const Unit* u, const ExecContext *c) {
> ++ assert(u);
> ++ assert(c);
> ++
> ++ if (!c->restrict_suid_sgid)
> ++ return 0;
> ++
> ++ if (skip_seccomp_unavailable(u, "RestrictSUIDSGID="))
> ++ return 0;
> ++
> ++ return seccomp_restrict_suid_sgid();
> ++}
> ++
> + static int apply_protect_sysctl(const Unit *u, const ExecContext *c) {
> + assert(u);
> + assert(c);
> +@@ -3331,6 +3345,12 @@ static int exec_child(
> + return log_unit_error_errno(unit, r, "Failed to apply realtime restrictions: %m");
> + }
> +
> ++ r = apply_restrict_suid_sgid(unit, context);
> ++ if (r < 0) {
> ++ *exit_status = EXIT_SECCOMP;
> ++ return log_unit_error_errno(unit, r, "Failed to apply SUID/SGID restrictions: %m");
> ++ }
> ++
> + r = apply_restrict_namespaces(unit, context);
> + if (r < 0) {
> + *exit_status = EXIT_SECCOMP;
> +@@ -3920,6 +3940,7 @@ void exec_context_dump(const ExecContext *c, FILE* f, const char *prefix) {
> + "%sIgnoreSIGPIPE: %s\n"
> + "%sMemoryDenyWriteExecute: %s\n"
> + "%sRestrictRealtime: %s\n"
> ++ "%sRestrictSUIDSGID: %s\n"
> + "%sKeyringMode: %s\n",
> + prefix, c->umask,
> + prefix, c->working_directory ? c->working_directory : "/",
> +@@ -3938,6 +3959,7 @@ void exec_context_dump(const ExecContext *c, FILE* f, const char *prefix) {
> + prefix, yes_no(c->ignore_sigpipe),
> + prefix, yes_no(c->memory_deny_write_execute),
> + prefix, yes_no(c->restrict_realtime),
> ++ prefix, yes_no(c->restrict_suid_sgid),
> + prefix, exec_keyring_mode_to_string(c->keyring_mode));
> +
> + if (c->root_image)
> +diff --git a/src/core/execute.h b/src/core/execute.h
> +index 77ffe82323..e6319cee8a 100644
> +--- a/src/core/execute.h
> ++++ b/src/core/execute.h
> +@@ -260,6 +260,7 @@ struct ExecContext {
> +
> + bool memory_deny_write_execute;
> + bool restrict_realtime;
> ++ bool restrict_suid_sgid;
> +
> + bool oom_score_adjust_set:1;
> + bool nice_set:1;
> +diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4
> +index 15fb47838c..692edcb101 100644
> +--- a/src/core/load-fragment-gperf.gperf.m4
> ++++ b/src/core/load-fragment-gperf.gperf.m4
> +@@ -72,6 +72,7 @@ $1.SystemCallErrorNumber, config_parse_syscall_errno, 0,
> + $1.MemoryDenyWriteExecute, config_parse_bool, 0, offsetof($1, exec_context.memory_deny_write_execute)
> + $1.RestrictNamespaces, config_parse_restrict_namespaces, 0, offsetof($1, exec_context)
> + $1.RestrictRealtime, config_parse_bool, 0, offsetof($1, exec_context.restrict_realtime)
> ++$1.RestrictSUIDSGID, config_parse_bool, 0, offsetof($1, exec_context.restrict_suid_sgid)
> + $1.RestrictAddressFamilies, config_parse_address_families, 0, offsetof($1, exec_context)
> + $1.LockPersonality, config_parse_bool, 0, offsetof($1, exec_context.lock_personality)',
> + `$1.SystemCallFilter, config_parse_warn_compat, DISABLED_CONFIGURATION, 0
> +@@ -80,6 +81,7 @@ $1.SystemCallErrorNumber, config_parse_warn_compat, DISABLED_CO
> + $1.MemoryDenyWriteExecute, config_parse_warn_compat, DISABLED_CONFIGURATION, 0
> + $1.RestrictNamespaces, config_parse_warn_compat, DISABLED_CONFIGURATION, 0
> + $1.RestrictRealtime, config_parse_warn_compat, DISABLED_CONFIGURATION, 0
> ++$1.RestrictSUIDSGID, config_parse_warn_compat, DISABLED_CONFIGURATION, 0
> + $1.RestrictAddressFamilies, config_parse_warn_compat, DISABLED_CONFIGURATION, 0
> + $1.LockPersonality, config_parse_warn_compat, DISABLED_CONFIGURATION, 0')
> + $1.LimitCPU, config_parse_rlimit, RLIMIT_CPU, offsetof($1, exec_context.rlimit)
> +diff --git a/src/shared/bus-unit-util.c b/src/shared/bus-unit-util.c
> +index 3238b442c0..c2f9720c33 100644
> +--- a/src/shared/bus-unit-util.c
> ++++ b/src/shared/bus-unit-util.c
> +@@ -692,12 +692,12 @@ static int bus_append_execute_property(sd_bus_message *m, const char *field, con
> + return bus_append_string(m, field, eq);
> +
> + if (STR_IN_SET(field,
> +- "IgnoreSIGPIPE", "TTYVHangup", "TTYReset", "TTYVTDisallocate",
> +- "PrivateTmp", "PrivateDevices", "PrivateNetwork", "PrivateUsers",
> +- "PrivateMounts", "NoNewPrivileges", "SyslogLevelPrefix",
> +- "MemoryDenyWriteExecute", "RestrictRealtime", "DynamicUser", "RemoveIPC",
> +- "ProtectKernelTunables", "ProtectKernelModules", "ProtectControlGroups",
> +- "MountAPIVFS", "CPUSchedulingResetOnFork", "LockPersonality"))
> ++ "IgnoreSIGPIPE", "TTYVHangup", "TTYReset", "TTYVTDisallocate", "PrivateTmp",
> ++ "PrivateDevices", "PrivateNetwork", "PrivateUsers", "PrivateMounts",
> ++ "NoNewPrivileges", "SyslogLevelPrefix", "MemoryDenyWriteExecute", "RestrictRealtime",
> ++ "DynamicUser", "RemoveIPC", "ProtectKernelTunables", "ProtectKernelModules",
> ++ "ProtectControlGroups", "MountAPIVFS", "CPUSchedulingResetOnFork", "LockPersonality",
> ++ "ProtectHostname", "RestrictSUIDSGID"))
> +
> + return bus_append_parse_boolean(m, field, eq);
> +
> +diff --git a/test/fuzz-corpus/unit-file/directives.service b/test/fuzz-corpus/unit-file/directives.service
> +index b35325fb6f..ad6cd8d712 100644
> +--- a/test/fuzz-corpus/unit-file/directives.service
> ++++ b/test/fuzz-corpus/unit-file/directives.service
> +@@ -848,6 +848,7 @@ ReserveVT=
> + RestrictAddressFamilies=
> + RestrictNamespaces=
> + RestrictRealtime=
> ++RestrictSUIDSGID=
> + RuntimeDirectory=
> + RuntimeDirectoryMode=
> + RuntimeDirectoryPreserve=
> +--
> +2.23.0
> +
> diff --git a/meta/recipes-core/systemd/systemd/CVE-2019-3843_p3.patch b/meta/recipes-core/systemd/systemd/CVE-2019-3843_p3.patch
> new file mode 100644
> index 0000000000..586b4118bf
> --- /dev/null
> +++ b/meta/recipes-core/systemd/systemd/CVE-2019-3843_p3.patch
> @@ -0,0 +1,90 @@
> +From cd8496795c104c7e557f2d9207f75b896465dbee Mon Sep 17 00:00:00 2001
> +From: Lennart Poettering <lennart at poettering.net>
> +Date: Wed, 20 Mar 2019 19:45:32 +0100
> +Subject: [PATCH] man: document the new RestrictSUIDSGID= setting
> +Reply-To: muislam at microsoft.com
> +
> +Signed-off-by: Muminul Islam <muislam at microsoft.com>
> +
> +CVE: CVE-2019-3843
> +Upstream-Status: Backport
> +Upstream Commit: https://github.com/systemd/systemd/commit/7445db6eb70e8d5989f481d0c5a08ace7047ae5b
> +---
> + doc/TRANSIENT-SETTINGS.md | 1 +
> + man/systemd.exec.xml | 41 +++++++++++++++++++++++++++------------
> + 2 files changed, 30 insertions(+), 12 deletions(-)
> +
> +diff --git a/doc/TRANSIENT-SETTINGS.md b/doc/TRANSIENT-SETTINGS.md
> +index ca9e8387b7..20c70a05f9 100644
> +--- a/doc/TRANSIENT-SETTINGS.md
> ++++ b/doc/TRANSIENT-SETTINGS.md
> +@@ -147,6 +147,7 @@ All execution-related settings are available for transient units.
> + ✓ MemoryDenyWriteExecute=
> + ✓ RestrictNamespaces=
> + ✓ RestrictRealtime=
> ++✓ RestrictSUIDSGID=
> + ✓ RestrictAddressFamilies=
> + ✓ LockPersonality=
> + ✓ LimitCPU=
> +diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
> +index 3bd790b485..2bdbc0608e 100644
> +--- a/man/systemd.exec.xml
> ++++ b/man/systemd.exec.xml
> +@@ -348,18 +348,19 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
> + <varlistentry>
> + <term><varname>NoNewPrivileges=</varname></term>
> +
> +- <listitem><para>Takes a boolean argument. If true, ensures that the service process and all its children can
> +- never gain new privileges through <function>execve()</function> (e.g. via setuid or setgid bits, or filesystem
> +- capabilities). This is the simplest and most effective way to ensure that a process and its children can never
> +- elevate privileges again. Defaults to false, but certain settings override this and ignore the value of this
> +- setting. This is the case when <varname>SystemCallFilter=</varname>,
> +- <varname>SystemCallArchitectures=</varname>, <varname>RestrictAddressFamilies=</varname>,
> +- <varname>RestrictNamespaces=</varname>, <varname>PrivateDevices=</varname>,
> +- <varname>ProtectKernelTunables=</varname>, <varname>ProtectKernelModules=</varname>,
> +- <varname>MemoryDenyWriteExecute=</varname>, <varname>RestrictRealtime=</varname>, or
> +- <varname>LockPersonality=</varname> are specified. Note that even if this setting is overridden by them,
> +- <command>systemctl show</command> shows the original value of this setting. Also see
> +- <ulink url="https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html">No New Privileges
> ++ <listitem><para>Takes a boolean argument. If true, ensures that the service process and all its
> ++ children can never gain new privileges through <function>execve()</function> (e.g. via setuid or
> ++ setgid bits, or filesystem capabilities). This is the simplest and most effective way to ensure that
> ++ a process and its children can never elevate privileges again. Defaults to false, but certain
> ++ settings override this and ignore the value of this setting. This is the case when
> ++ <varname>SystemCallFilter=</varname>, <varname>SystemCallArchitectures=</varname>,
> ++ <varname>RestrictAddressFamilies=</varname>, <varname>RestrictNamespaces=</varname>,
> ++ <varname>PrivateDevices=</varname>, <varname>ProtectKernelTunables=</varname>,
> ++ <varname>ProtectKernelModules=</varname>, <varname>MemoryDenyWriteExecute=</varname>,
> ++ <varname>RestrictRealtime=</varname>, <varname>RestrictSUIDSGID=</varname> or
> ++ <varname>LockPersonality=</varname> are specified. Note that even if this setting is overridden by
> ++ them, <command>systemctl show</command> shows the original value of this setting. Also see <ulink
> ++ url="https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html">No New Privileges
> + Flag</ulink>. </para></listitem>
> + </varlistentry>
> +
> +@@ -1252,6 +1253,22 @@ RestrictNamespaces=~cgroup net</programlisting>
> + that actually require them. Defaults to off.</para></listitem>
> + </varlistentry>
> +
> ++ <varlistentry>
> ++ <term><varname>RestrictSUIDSGID=</varname></term>
> ++
> ++ <listitem><para>Takes a boolean argument. If set, any attempts to set the set-user-ID (SUID) or
> ++ set-group-ID (SGID) bits on files or directories will be denied (for details on these bits see
> ++ <citerefentry
> ++ project='man-pages'><refentrytitle>inode</refentrytitle><manvolnum>7</manvolnum></citerefentry>). If
> ++ running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant>
> ++ capability (e.g. setting <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname> is
> ++ implied. As the SUID/SGID bits are mechanisms to elevate privileges, and allows users to acquire the
> ++ identity of other users, it is recommended to restrict creation of SUID/SGID files to the few
> ++ programs that actually require them. Note that this restricts marking of any type of file system
> ++ object with these bits, including both regular files and directories (where the SGID is a different
> ++ meaning than for files, see documentation). Defaults to off.</para></listitem>
> ++ </varlistentry>
> ++
> + <varlistentry>
> + <term><varname>RemoveIPC=</varname></term>
> +
> +--
> +2.23.0
> +
> diff --git a/meta/recipes-core/systemd/systemd/CVE-2019-3843_p4.patch b/meta/recipes-core/systemd/systemd/CVE-2019-3843_p4.patch
> new file mode 100644
> index 0000000000..ae2d8f7999
> --- /dev/null
> +++ b/meta/recipes-core/systemd/systemd/CVE-2019-3843_p4.patch
> @@ -0,0 +1,163 @@
> +From a331bccfacc286c8f8d75544548a47d098c9d580 Mon Sep 17 00:00:00 2001
> +From: Lennart Poettering <lennart at poettering.net>
> +Date: Wed, 20 Mar 2019 19:52:20 +0100
> +Subject: [PATCH] units: turn on RestrictSUIDSGID= in most of our long-running
> + daemons
> +Reply-To: muislam at microsoft.com
> +
> +Signed-off-by: Muminul Islam <muislam at microsoft.com>
> +CVE: CVE-2019-3843
> +Upstream-Status: Backport
> +Upstream Commit: https://github.com/systemd/systemd/commit/62aa29247c3d74bcec0607c347f2be23cd90675d
> +---
> + units/systemd-coredump at .service.in | 1 +
> + units/systemd-hostnamed.service.in | 1 +
> + units/systemd-journal-remote.service.in | 1 +
> + units/systemd-journald.service.in | 1 +
> + units/systemd-localed.service.in | 1 +
> + units/systemd-logind.service.in | 1 +
> + units/systemd-networkd.service.in | 1 +
> + units/systemd-resolved.service.in | 1 +
> + units/systemd-timedated.service.in | 1 +
> + units/systemd-timesyncd.service.in | 1 +
> + units/systemd-udevd.service.in | 3 ++-
> + 11 files changed, 12 insertions(+), 1 deletion(-)
> +
> +diff --git a/units/systemd-coredump at .service.in b/units/systemd-coredump at .service.in
> +index 215696ecd1..08ecedbe56 100644
> +--- a/units/systemd-coredump at .service.in
> ++++ b/units/systemd-coredump at .service.in
> +@@ -31,6 +31,7 @@ ProtectKernelTunables=yes
> + ProtectKernelModules=yes
> + MemoryDenyWriteExecute=yes
> + RestrictRealtime=yes
> ++RestrictSUIDSGID=yes
> + RestrictNamespaces=yes
> + RestrictAddressFamilies=AF_UNIX
> + SystemCallFilter=@system-service
> +diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
> +index da74b4fe8b..a6e07781ce 100644
> +--- a/units/systemd-hostnamed.service.in
> ++++ b/units/systemd-hostnamed.service.in
> +@@ -27,6 +27,7 @@ ProtectKernelTunables=yes
> + ProtectKernelModules=yes
> + MemoryDenyWriteExecute=yes
> + RestrictRealtime=yes
> ++RestrictSUIDSGID=yes
> + RestrictNamespaces=yes
> + RestrictAddressFamilies=AF_UNIX
> + SystemCallFilter=@system-service sethostname
> +diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in
> +index a94265f215..05a166f587 100644
> +--- a/units/systemd-journal-remote.service.in
> ++++ b/units/systemd-journal-remote.service.in
> +@@ -26,6 +26,7 @@ ProtectKernelTunables=yes
> + ProtectKernelModules=yes
> + MemoryDenyWriteExecute=yes
> + RestrictRealtime=yes
> ++RestrictSUIDSGID=yes
> + RestrictNamespaces=yes
> + RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
> + SystemCallArchitectures=native
> +diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
> +index 52939e6820..ad7d979d1c 100644
> +--- a/units/systemd-journald.service.in
> ++++ b/units/systemd-journald.service.in
> +@@ -27,6 +27,7 @@ FileDescriptorStoreMax=4224
> + CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
> + MemoryDenyWriteExecute=yes
> + RestrictRealtime=yes
> ++RestrictSUIDSGID=yes
> + RestrictNamespaces=yes
> + RestrictAddressFamilies=AF_UNIX AF_NETLINK
> + SystemCallFilter=@system-service
> +diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in
> +index a24e61a0cd..a9f3ab8c6e 100644
> +--- a/units/systemd-localed.service.in
> ++++ b/units/systemd-localed.service.in
> +@@ -27,6 +27,7 @@ ProtectKernelTunables=yes
> + ProtectKernelModules=yes
> + MemoryDenyWriteExecute=yes
> + RestrictRealtime=yes
> ++RestrictSUIDSGID=yes
> + RestrictNamespaces=yes
> + RestrictAddressFamilies=AF_UNIX
> + SystemCallFilter=@system-service
> +diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
> +index 5e090bcf23..af28364bbf 100644
> +--- a/units/systemd-logind.service.in
> ++++ b/units/systemd-logind.service.in
> +@@ -28,6 +28,7 @@ WatchdogSec=3min
> + CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG
> + MemoryDenyWriteExecute=yes
> + RestrictRealtime=yes
> ++RestrictSUIDSGID=yes
> + RestrictNamespaces=yes
> + RestrictAddressFamilies=AF_UNIX AF_NETLINK
> + SystemCallFilter=@system-service
> +diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
> +index 371ab3a9cf..dd42baf610 100644
> +--- a/units/systemd-networkd.service.in
> ++++ b/units/systemd-networkd.service.in
> +@@ -33,6 +33,7 @@ ProtectControlGroups=yes
> + ProtectKernelModules=yes
> + MemoryDenyWriteExecute=yes
> + RestrictRealtime=yes
> ++RestrictSUIDSGID=yes
> + RestrictNamespaces=yes
> + RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
> + SystemCallFilter=@system-service
> +diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
> +index 9982ecebff..49444298ee 100644
> +--- a/units/systemd-resolved.service.in
> ++++ b/units/systemd-resolved.service.in
> +@@ -36,6 +36,7 @@ ProtectKernelTunables=yes
> + ProtectKernelModules=yes
> + MemoryDenyWriteExecute=yes
> + RestrictRealtime=yes
> ++RestrictSUIDSGID=yes
> + RestrictNamespaces=yes
> + RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
> + SystemCallFilter=@system-service
> +diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
> +index 906bb4326c..7c210a6b16 100644
> +--- a/units/systemd-timedated.service.in
> ++++ b/units/systemd-timedated.service.in
> +@@ -25,6 +25,7 @@ ProtectKernelTunables=yes
> + ProtectKernelModules=yes
> + MemoryDenyWriteExecute=yes
> + RestrictRealtime=yes
> ++RestrictSUIDSGID=yes
> + RestrictNamespaces=yes
> + RestrictAddressFamilies=AF_UNIX
> + SystemCallFilter=@system-service @clock
> +diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
> +index 4a490b6e16..8f614193ce 100644
> +--- a/units/systemd-timesyncd.service.in
> ++++ b/units/systemd-timesyncd.service.in
> +@@ -35,6 +35,7 @@ ProtectKernelTunables=yes
> + ProtectKernelModules=yes
> + MemoryDenyWriteExecute=yes
> + RestrictRealtime=yes
> ++RestrictSUIDSGID=yes
> + RestrictNamespaces=yes
> + RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
> + RuntimeDirectory=systemd/timesync
> +diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in
> +index 6a3814e5d9..aa81dc5fbc 100644
> +--- a/units/systemd-udevd.service.in
> ++++ b/units/systemd-udevd.service.in
> +@@ -27,8 +27,9 @@ WatchdogSec=3min
> + TasksMax=infinity
> + PrivateMounts=yes
> + MemoryDenyWriteExecute=yes
> +-RestrictRealtime=yes
> + RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
> ++RestrictRealtime=yes
> ++RestrictSUIDSGID=yes
> + SystemCallFilter=@system-service @module @raw-io
> + SystemCallErrorNumber=EPERM
> + SystemCallArchitectures=native
> +--
> +2.23.0
> +
> diff --git a/meta/recipes-core/systemd/systemd/CVE-2019-3844.patch b/meta/recipes-core/systemd/systemd/CVE-2019-3844.patch
> new file mode 100644
> index 0000000000..721268e741
> --- /dev/null
> +++ b/meta/recipes-core/systemd/systemd/CVE-2019-3844.patch
> @@ -0,0 +1,96 @@
> +From 31bc7e4ce2ee4757663c13ed3f98f8fb90c57fd1 Mon Sep 17 00:00:00 2001
> +From: Lennart Poettering <lennart at poettering.net>
> +Date: Wed, 20 Mar 2019 20:19:38 +0100
> +Subject: [PATCH] core: imply NNP and SUID/SGID restriction for DynamicUser=yes
> + service
> +Reply-To: muislam at microsoft.com
> +
> +Let's be safe, rather than sorry. This way DynamicUser=yes services can
> +neither take benefit of, nor create SUID/SGID binaries.
> +
> +Given that DynamicUser= is a recent addition only we should be able to
> +get away with turning this on, even though this is strictly speaking a
> +binary compatibility breakage.
> +
> +Signed-off-by: Muminul Islam <muislam at microsoft.com>
> +
> +CVE: CVE-2019-3844
> +Upstream-Status: Backport
> +Upstream Commit: https://github.com/systemd/systemd/commit/bf65b7e0c9fc215897b676ab9a7c9d1c688143ba
> +---
> + man/systemd.exec.xml | 16 ++++++++++------
> + src/core/unit.c | 10 ++++++++--
> + 2 files changed, 18 insertions(+), 8 deletions(-)
> +
> +diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
> +index 2bdbc0608e..b02fff4ec8 100644
> +--- a/man/systemd.exec.xml
> ++++ b/man/systemd.exec.xml
> +@@ -229,7 +229,9 @@
> + created by the executed processes is bound to the runtime of the service, and hence the lifetime of the dynamic
> + user/group. Since <filename>/tmp</filename> and <filename>/var/tmp</filename> are usually the only
> + world-writable directories on a system this ensures that a unit making use of dynamic user/group allocation
> +- cannot leave files around after unit termination. Moreover <varname>ProtectSystem=strict</varname> and
> ++ cannot leave files around after unit termination. Furthermore <varname>NoNewPrivileges=</varname> and
> ++ <varname>RestrictSUIDSGID=</varname> are implicitly enabled to ensure that processes invoked cannot take benefit or create SUID/SGID files
> ++ or directories Moreover <varname>ProtectSystem=strict</varname> and
> + <varname>ProtectHome=read-only</varname> are implied, thus prohibiting the service to write to arbitrary file
> + system locations. In order to allow the service to write to certain directories, they have to be whitelisted
> + using <varname>ReadWritePaths=</varname>, but care must be taken so that UID/GID recycling doesn't create
> +@@ -357,11 +359,12 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
> + <varname>RestrictAddressFamilies=</varname>, <varname>RestrictNamespaces=</varname>,
> + <varname>PrivateDevices=</varname>, <varname>ProtectKernelTunables=</varname>,
> + <varname>ProtectKernelModules=</varname>, <varname>MemoryDenyWriteExecute=</varname>,
> +- <varname>RestrictRealtime=</varname>, <varname>RestrictSUIDSGID=</varname> or
> +- <varname>LockPersonality=</varname> are specified. Note that even if this setting is overridden by
> +- them, <command>systemctl show</command> shows the original value of this setting. Also see <ulink
> ++ <varname>RestrictRealtime=</varname>, <varname>RestrictSUIDSGID=</varname>,
> ++ <varname>DynamicUser=</varname> or <varname>LockPersonality=</varname> are specified. Note that even
> ++ if this setting is overridden by them, <command>systemctl show</command> shows the original value of
> ++ this setting. Also see <ulink
> + url="https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html">No New Privileges
> +- Flag</ulink>. </para></listitem>
> ++ Flag</ulink>.</para></listitem>
> + </varlistentry>
> +
> + <varlistentry>
> +@@ -1266,7 +1269,8 @@ RestrictNamespaces=~cgroup net</programlisting>
> + identity of other users, it is recommended to restrict creation of SUID/SGID files to the few
> + programs that actually require them. Note that this restricts marking of any type of file system
> + object with these bits, including both regular files and directories (where the SGID is a different
> +- meaning than for files, see documentation). Defaults to off.</para></listitem>
> ++ meaning than for files, see documentation). This option is implied if <varname>DynamicUser=</varname>
> ++ is enabled. Defaults to off.</para></listitem>
> + </varlistentry>
> +
> + <varlistentry>
> +diff --git a/src/core/unit.c b/src/core/unit.c
> +index a3556cc5ec..55b29c8447 100644
> +--- a/src/core/unit.c
> ++++ b/src/core/unit.c
> +@@ -4133,14 +4133,20 @@ int unit_patch_contexts(Unit *u) {
> + return -ENOMEM;
> + }
> +
> +- /* If the dynamic user option is on, let's make sure that the unit can't leave its UID/GID
> +- * around in the file system or on IPC objects. Hence enforce a strict sandbox. */
> ++ /* If the dynamic user option is on, let's make sure that the unit can't leave its
> ++ * UID/GID around in the file system or on IPC objects. Hence enforce a strict
> ++ * sandbox. */
> +
> + ec->private_tmp = true;
> + ec->remove_ipc = true;
> + ec->protect_system = PROTECT_SYSTEM_STRICT;
> + if (ec->protect_home == PROTECT_HOME_NO)
> + ec->protect_home = PROTECT_HOME_READ_ONLY;
> ++
> ++ /* Make sure this service can neither benefit from SUID/SGID binaries nor create
> ++ * them. */
> ++ ec->no_new_privileges = true;
> ++ ec->restrict_suid_sgid = true;
> + }
> + }
> +
> +--
> +2.23.0
> +
> diff --git a/meta/recipes-core/systemd/systemd_239.bb b/meta/recipes-core/systemd/systemd_239.bb
> index 7fbd64ced7..2bc51cee2c 100644
> --- a/meta/recipes-core/systemd/systemd_239.bb
> +++ b/meta/recipes-core/systemd/systemd_239.bb
> @@ -43,6 +43,12 @@ SRC_URI += "file://touchscreen.rules \
> file://0026-journal-fix-out-of-bounds-read-CVE-2018-16866.patch \
> file://CVE-2019-6454.patch \
> file://sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch \
> + file://CVE-2019-3842.patch \
> + file://CVE-2019-3843_p1.patch \
> + file://CVE-2019-3843_p2.patch \
> + file://CVE-2019-3843_p3.patch \
> + file://CVE-2019-3843_p4.patch \
> + file://CVE-2019-3842.patch \
> "
>
> # patches made for musl are only applied on TCLIBC is musl
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20191025/5be1a839/attachment-0001.html>
More information about the Openembedded-core
mailing list