Control: tag -1 d-i

d-i ack needed for the udeb.


On Wed, Mar 04, 2026 at 12:33:05PM +0100, Bastian Germann wrote:
> Control: tags -1 - moreinfo
> 
> Please find the new debdiff attached.

> diff -Nru xfsprogs-6.13.0/debian/changelog xfsprogs-6.13.0/debian/changelog
> --- xfsprogs-6.13.0/debian/changelog  2025-02-23 15:32:04.000000000 +0100
> +++ xfsprogs-6.13.0/debian/changelog  2026-03-04 12:28:29.000000000 +0100
> @@ -1,3 +1,10 @@
> +xfsprogs (6.13.0-2+deb13u1) trixie; urgency=medium
> +
> +  * xfs_scrub_fail: reduce security lockdowns to avoid postfix problems
> +    (Closes: #1116595)
> +
> + -- Bastian Germann <[email protected]>  Wed, 04 Mar 2026 12:28:29 +0100
> +
>  xfsprogs (6.13.0-2) unstable; urgency=medium
>  
>    * Patch: mkfs: Correct filesize declaration
> diff -Nru 
> xfsprogs-6.13.0/debian/patches/reduce-security-lockdowns-to-avoid-postfix-problems.patch
>  
> xfsprogs-6.13.0/debian/patches/reduce-security-lockdowns-to-avoid-postfix-problems.patch
> --- 
> xfsprogs-6.13.0/debian/patches/reduce-security-lockdowns-to-avoid-postfix-problems.patch
>   1970-01-01 01:00:00.000000000 +0100
> +++ 
> xfsprogs-6.13.0/debian/patches/reduce-security-lockdowns-to-avoid-postfix-problems.patch
>   2026-03-01 17:22:10.000000000 +0100
> @@ -0,0 +1,133 @@
> +From: Bastian Germann <[email protected]>
> +Date: Mar, 01 2026 16:19:13 +0100
> +Bug-Debian: https://bugs.debian.org/1116595
> +Subject: reduce security lockdowns to avoid postfix problems
> +
> +Apply upstream 50411335572120153cc84d54213cd5ca9dd11b14 to the other
> +systemd services that people might have problems with.
> +---
> +--- xfsprogs-6.18.0.orig/scrub/xfs_scrub_all.service.in
> ++++ xfsprogs-6.18.0/scrub/xfs_scrub_all.service.in
> +@@ -25,61 +25,3 @@ IOSchedulingClass=idle
> + CPUSchedulingPolicy=idle
> + CPUAccounting=true
> + Nice=19
> +-
> +-# No realtime scheduling
> +-RestrictRealtime=true
> +-
> +-# No special privileges, but we still have to run as root so that we can
> +-# contact the service manager to start the sub-units.
> +-CapabilityBoundingSet=
> +-NoNewPrivileges=true
> +-RestrictSUIDSGID=true
> +-
> +-# Make the entire filesystem readonly except for the media scan stamp file
> +-# directory.  We don't want to hide anything because we need to find all
> +-# mounted XFS filesystems in the host.
> +-ProtectSystem=strict
> +-ProtectHome=read-only
> +-PrivateTmp=false
> +-BindPaths=@pkg_state_dir@
> +-
> +-# No network access except to the systemd control socket
> +-PrivateNetwork=true
> +-ProtectHostname=true
> +-RestrictAddressFamilies=AF_UNIX
> +-IPAddressDeny=any
> +-
> +-# Don't let the program mess with the kernel configuration at all
> +-ProtectKernelLogs=true
> +-ProtectKernelModules=true
> +-ProtectKernelTunables=true
> +-ProtectControlGroups=true
> +-ProtectProc=invisible
> +-RestrictNamespaces=true
> +-
> +-# Hide everything in /proc, even /proc/mounts
> +-ProcSubset=pid
> +-
> +-# Only allow the default personality Linux
> +-LockPersonality=true
> +-
> +-# No writable memory pages
> +-MemoryDenyWriteExecute=true
> +-
> +-# Don't let our mounts leak out to the host
> +-PrivateMounts=true
> +-
> +-# Restrict system calls to the native arch and only enough to get things 
> going
> +-SystemCallArchitectures=native
> +-SystemCallFilter=@system-service
> +-SystemCallFilter=~@privileged
> +-SystemCallFilter=~@resources
> +-SystemCallFilter=~@mount
> +-
> +-# Media scan stamp file shouldn't be readable by regular users
> +-UMask=0077
> +-
> +-# lsblk ignores mountpoints if it can't find the device files, so we cannot
> +-# hide them
> +-#ProtectClock=true
> +-#PrivateDevices=true
> +--- xfsprogs-6.18.0.orig/scrub/xfs_scrub_all_fail.service.in
> ++++ xfsprogs-6.18.0/scrub/xfs_scrub_all_fail.service.in
> +@@ -14,58 +14,3 @@ ExecStart=@pkg_libexec_dir@/xfs_scrub_fa
> + User=mail
> + Group=mail
> + SupplementaryGroups=systemd-journal
> +-
> +-# No realtime scheduling
> +-RestrictRealtime=true
> +-
> +-# Make the entire filesystem readonly and /home inaccessible.
> +-ProtectSystem=full
> +-ProtectHome=yes
> +-PrivateTmp=true
> +-RestrictSUIDSGID=true
> +-
> +-# Emailing reports requires network access, but not the ability to change 
> the
> +-# hostname.
> +-ProtectHostname=true
> +-
> +-# Don't let the program mess with the kernel configuration at all
> +-ProtectKernelLogs=true
> +-ProtectKernelModules=true
> +-ProtectKernelTunables=true
> +-ProtectControlGroups=true
> +-ProtectProc=invisible
> +-RestrictNamespaces=true
> +-
> +-# Can't hide /proc because journalctl needs it to find various pieces of log
> +-# information
> +-#ProcSubset=pid
> +-
> +-# Only allow the default personality Linux
> +-LockPersonality=true
> +-
> +-# No writable memory pages
> +-MemoryDenyWriteExecute=true
> +-
> +-# Don't let our mounts leak out to the host
> +-PrivateMounts=true
> +-
> +-# Restrict system calls to the native arch and only enough to get things 
> going
> +-SystemCallArchitectures=native
> +-SystemCallFilter=@system-service
> +-SystemCallFilter=~@privileged
> +-SystemCallFilter=~@resources
> +-SystemCallFilter=~@mount
> +-
> +-# xfs_scrub needs these privileges to run, and no others
> +-CapabilityBoundingSet=
> +-NoNewPrivileges=true
> +-
> +-# Failure reporting shouldn't create world-readable files
> +-UMask=0077
> +-
> +-# Clean up any IPC objects when this unit stops
> +-RemoveIPC=true
> +-
> +-# No access to hardware device files
> +-PrivateDevices=true
> +-ProtectClock=true
> diff -Nru xfsprogs-6.13.0/debian/patches/series 
> xfsprogs-6.13.0/debian/patches/series
> --- xfsprogs-6.13.0/debian/patches/series     2025-02-23 15:20:24.000000000 
> +0100
> +++ xfsprogs-6.13.0/debian/patches/series     2026-03-04 12:27:53.000000000 
> +0100
> @@ -1 +1,3 @@
>  mkfs-Correct-filesize-declaration.patch
> +xfs_scrub_fail-reduce-security-lockdowns.patch
> +reduce-security-lockdowns-to-avoid-postfix-problems.patch
> diff -Nru 
> xfsprogs-6.13.0/debian/patches/xfs_scrub_fail-reduce-security-lockdowns.patch 
> xfsprogs-6.13.0/debian/patches/xfs_scrub_fail-reduce-security-lockdowns.patch
> --- 
> xfsprogs-6.13.0/debian/patches/xfs_scrub_fail-reduce-security-lockdowns.patch 
>     1970-01-01 01:00:00.000000000 +0100
> +++ 
> xfsprogs-6.13.0/debian/patches/xfs_scrub_fail-reduce-security-lockdowns.patch 
>     2026-03-04 12:26:44.000000000 +0100
> @@ -0,0 +1,101 @@
> +From 15fd6fc686d5ce7640e46d44f6fa018413ce1b64 Mon Sep 17 00:00:00 2001
> +From: "Darrick J. Wong" <[email protected]>
> +Date: Mon, 13 Oct 2025 16:34:24 -0700
> +Subject: [PATCH] xfs_scrub_fail: reduce security lockdowns to avoid postfix
> + problems
> +
> +Iustin Pop reports that the xfs_scrub_fail service fails to email
> +problem reports on Debian when postfix is installed.  This is apparently
> +due to several factors:
> +
> +1. postfix's sendmail wrapper calling postdrop directly,
> +2. postdrop requiring the ability to write to the postdrop group,
> +3. lockdown preventing the xfs_scrub_fail@ service to have postdrop in
> +   the supplemental group list or the ability to run setgid programs
> +
> +Item (3) could be solved by adding the whole service to the postdrop
> +group via SupplementalGroups=, but that will fail if postfix is not
> +installed and hence there is no postdrop group.
> +
> +It could also be solved by forcing msmtp to be installed, bind mounting
> +msmtp into the service container, and injecting a config file that
> +instructs msmtp to connect to port 25, but that in turn isn't compatible
> +with systems not configured to allow an smtp server to listen on ::1.
> +
> +So we'll go with the less restrictive approach that e2scrub_fail@ does,
> +which is to say that we just turn off all the sandboxing. :( :(
> +
> +Reported-by: [email protected]
> +Cc: [email protected] # v6.10.0
> +Fixes: 9042fcc08eed6a ("xfs_scrub_fail: tighten up the security on the 
> background systemd service")
> +Signed-off-by: Darrick J. Wong <[email protected]>
> +Reviewed-by: Andrey Albershteyn <[email protected]>
> +---
> + scrub/[email protected] | 57 ++------------------------------
> + 1 file changed, 3 insertions(+), 54 deletions(-)
> +
> +diff --git a/scrub/[email protected] 
> b/scrub/[email protected]
> +index 16077888..1e205768 100644
> +--- a/scrub/[email protected]
> ++++ b/scrub/[email protected]
> +@@ -19,57 +19,6 @@ SupplementaryGroups=systemd-journal
> + # can control resource usage.
> + Slice=system-xfs_scrub.slice
> + 
> +-# No realtime scheduling
> +-RestrictRealtime=true
> +-
> +-# Make the entire filesystem readonly and /home inaccessible.
> +-ProtectSystem=full
> +-ProtectHome=yes
> +-PrivateTmp=true
> +-RestrictSUIDSGID=true
> +-
> +-# Emailing reports requires network access, but not the ability to change 
> the
> +-# hostname.
> +-ProtectHostname=true
> +-
> +-# Don't let the program mess with the kernel configuration at all
> +-ProtectKernelLogs=true
> +-ProtectKernelModules=true
> +-ProtectKernelTunables=true
> +-ProtectControlGroups=true
> +-ProtectProc=invisible
> +-RestrictNamespaces=true
> +-
> +-# Can't hide /proc because journalctl needs it to find various pieces of log
> +-# information
> +-#ProcSubset=pid
> +-
> +-# Only allow the default personality Linux
> +-LockPersonality=true
> +-
> +-# No writable memory pages
> +-MemoryDenyWriteExecute=true
> +-
> +-# Don't let our mounts leak out to the host
> +-PrivateMounts=true
> +-
> +-# Restrict system calls to the native arch and only enough to get things 
> going
> +-SystemCallArchitectures=native
> +-SystemCallFilter=@system-service
> +-SystemCallFilter=~@privileged
> +-SystemCallFilter=~@resources
> +-SystemCallFilter=~@mount
> +-
> +-# xfs_scrub needs these privileges to run, and no others
> +-CapabilityBoundingSet=
> +-NoNewPrivileges=true
> +-
> +-# Failure reporting shouldn't create world-readable files
> +-UMask=0077
> +-
> +-# Clean up any IPC objects when this unit stops
> +-RemoveIPC=true
> +-
> +-# No access to hardware device files
> +-PrivateDevices=true
> +-ProtectClock=true
> ++# No further restrictions because some installations may have MTAs such as
> ++# postfix, which require the ability to run setgid programs and other
> ++# foolishness.


-- 
Jonathan Wiltshire                                      [email protected]
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

Reply via email to