CVE: CVE-2019-3842 CVE-2019-3843 CVE-2019-3844 Upstream-Status: Backport
Signed-off-by: Muminul Islam <[email protected]> --- .../systemd/systemd/CVE-2019-3842.patch | 59 +++++ .../systemd/systemd/CVE-2019-3843_p1.patch | 227 ++++++++++++++++++ .../systemd/systemd/CVE-2019-3843_p2.patch | 174 ++++++++++++++ .../systemd/systemd/CVE-2019-3843_p3.patch | 90 +++++++ .../systemd/systemd/CVE-2019-3843_p4.patch | 163 +++++++++++++ .../systemd/systemd/CVE-2019-3844.patch | 96 ++++++++ meta/recipes-core/systemd/systemd_239.bb | 6 + 7 files changed, 815 insertions(+) create mode 100644 meta/recipes-core/systemd/systemd/CVE-2019-3842.patch create mode 100644 meta/recipes-core/systemd/systemd/CVE-2019-3843_p1.patch create mode 100644 meta/recipes-core/systemd/systemd/CVE-2019-3843_p2.patch create mode 100644 meta/recipes-core/systemd/systemd/CVE-2019-3843_p3.patch create mode 100644 meta/recipes-core/systemd/systemd/CVE-2019-3843_p4.patch create mode 100644 meta/recipes-core/systemd/systemd/CVE-2019-3844.patch diff --git a/meta/recipes-core/systemd/systemd/CVE-2019-3842.patch b/meta/recipes-core/systemd/systemd/CVE-2019-3842.patch new file mode 100644 index 0000000000..c58914b5b3 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/CVE-2019-3842.patch @@ -0,0 +1,59 @@ +From 7ee4ae8c15bd9cc3d60000f9a4b684ea608cabc6 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering <[email protected]> +Date: Mon, 4 Feb 2019 10:23:43 +0100 +Subject: [PATCH] pam-systemd: use secure_getenv() rather than getenv() +Reply-To: [email protected] + +And explain why in a comment. + +Signed-off-by: Muminul Islam <[email protected]> + +CVE: CVE-2019-3842 + +Upstream-Status: Backport + +Upstream commit: https://github.com/systemd/systemd/commit/83d4ab55336ff8a0643c6aa627b31e351a24040a +--- + src/login/pam_systemd.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/login/pam_systemd.c b/src/login/pam_systemd.c +index 1fbf6ba585..3ecb34425d 100644 +--- a/src/login/pam_systemd.c ++++ b/src/login/pam_systemd.c +@@ -354,27 +354,27 @@ _public_ PAM_EXTERN int pam_sm_open_session( + + seat = pam_getenv(handle, "XDG_SEAT"); + if (isempty(seat)) +- seat = getenv("XDG_SEAT"); ++ seat = secure_getenv("XDG_SEAT"); + + cvtnr = pam_getenv(handle, "XDG_VTNR"); + if (isempty(cvtnr)) +- cvtnr = getenv("XDG_VTNR"); ++ cvtnr = secure_getenv("XDG_VTNR"); + + type = pam_getenv(handle, "XDG_SESSION_TYPE"); + if (isempty(type)) +- type = getenv("XDG_SESSION_TYPE"); ++ type = secure_getenv("XDG_SESSION_TYPE"); + if (isempty(type)) + type = type_pam; + + class = pam_getenv(handle, "XDG_SESSION_CLASS"); + if (isempty(class)) +- class = getenv("XDG_SESSION_CLASS"); ++ class = secure_getenv("XDG_SESSION_CLASS"); + if (isempty(class)) + class = class_pam; + + desktop = pam_getenv(handle, "XDG_SESSION_DESKTOP"); + if (isempty(desktop)) +- desktop = getenv("XDG_SESSION_DESKTOP"); ++ desktop = secure_getenv("XDG_SESSION_DESKTOP"); + + tty = strempty(tty); + +-- +2.23.0 + diff --git a/meta/recipes-core/systemd/systemd/CVE-2019-3843_p1.patch b/meta/recipes-core/systemd/systemd/CVE-2019-3843_p1.patch new file mode 100644 index 0000000000..a0646dd54e --- /dev/null +++ b/meta/recipes-core/systemd/systemd/CVE-2019-3843_p1.patch @@ -0,0 +1,227 @@ +From 63788571a48adec4a0fed9d1d8993f867d1c1a1d Mon Sep 17 00:00:00 2001 +From: Lennart Poettering <[email protected]> +Date: Wed, 20 Mar 2019 19:00:28 +0100 +Subject: [PATCH] seccomp: introduce seccomp_restrict_suid_sgid() for blocking + chmod() for suid/sgid files +Reply-To: [email protected] + +Signed-off-by: Muminul Islam <[email protected]> + +CVE: CVE-2019-3843 +Upstream-Status: Backport + +Upstream commit: https://github.com/systemd/systemd/commit/3c27973b13724ede05a06a5d346a569794cda433 +--- + src/shared/seccomp-util.c | 173 ++++++++++++++++++++++++++++++++++++++ + src/shared/seccomp-util.h | 1 + + 2 files changed, 174 insertions(+) + +diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c +index c433cb90dc..e9632d703e 100644 +--- a/src/shared/seccomp-util.c ++++ b/src/shared/seccomp-util.c +@@ -1,12 +1,14 @@ + /* SPDX-License-Identifier: LGPL-2.1+ */ + + #include <errno.h> ++#include <fcntl.h> + #include <linux/seccomp.h> + #include <seccomp.h> + #include <stddef.h> + #include <sys/mman.h> + #include <sys/prctl.h> + #include <sys/shm.h> ++#include <sys/stat.h> + + #include "af-list.h" + #include "alloc-util.h" +@@ -1742,3 +1744,174 @@ int seccomp_lock_personality(unsigned long personality) { + + return 0; + } ++ ++int seccomp_protect_hostname(void) { ++ uint32_t arch; ++ int r; ++ ++ SECCOMP_FOREACH_LOCAL_ARCH(arch) { ++ _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL; ++ ++ r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW); ++ if (r < 0) ++ return r; ++ ++ r = seccomp_rule_add_exact( ++ seccomp, ++ SCMP_ACT_ERRNO(EPERM), ++ SCMP_SYS(sethostname), ++ 0); ++ if (r < 0) { ++ log_debug_errno(r, "Failed to add sethostname() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); ++ continue; ++ } ++ ++ r = seccomp_rule_add_exact( ++ seccomp, ++ SCMP_ACT_ERRNO(EPERM), ++ SCMP_SYS(setdomainname), ++ 0); ++ if (r < 0) { ++ log_debug_errno(r, "Failed to add setdomainname() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); ++ continue; ++ } ++ ++ r = seccomp_load(seccomp); ++ if (IN_SET(r, -EPERM, -EACCES)) ++ return r; ++ if (r < 0) ++ log_debug_errno(r, "Failed to apply hostname restrictions for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); ++ } ++ ++ return 0; ++} ++ ++int seccomp_restrict_suid_sgid(void) { ++ uint32_t arch; ++ int r; ++ ++ SECCOMP_FOREACH_LOCAL_ARCH(arch) { ++ _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL; ++ ++ r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW); ++ if (r < 0) ++ return r; ++ ++ /* Checks the mode_t parameter of the following system calls: ++ * ++ * â chmod() + fchmod() + fchmodat() ++ * â open() + creat() + openat() ++ * â mkdir() + mkdirat() ++ * â mknod() + mknodat() ++ */ ++ ++ for (unsigned bit = 0; bit < 2; bit ++) { ++ /* Block S_ISUID in the first iteration, S_ISGID in the second */ ++ mode_t m = bit == 0 ? S_ISUID : S_ISGID; ++ ++ r = seccomp_rule_add_exact( ++ seccomp, ++ SCMP_ACT_ERRNO(EPERM), ++ SCMP_SYS(chmod), ++ 1, ++ SCMP_A1(SCMP_CMP_MASKED_EQ, m, m)); ++ if (r < 0) ++ break; ++ ++ r = seccomp_rule_add_exact( ++ seccomp, ++ SCMP_ACT_ERRNO(EPERM), ++ SCMP_SYS(fchmod), ++ 1, ++ SCMP_A1(SCMP_CMP_MASKED_EQ, m, m)); ++ if (r < 0) ++ break; ++ ++ r = seccomp_rule_add_exact( ++ seccomp, ++ SCMP_ACT_ERRNO(EPERM), ++ SCMP_SYS(fchmodat), ++ 1, ++ SCMP_A2(SCMP_CMP_MASKED_EQ, m, m)); ++ if (r < 0) ++ break; ++ ++ r = seccomp_rule_add_exact( ++ seccomp, ++ SCMP_ACT_ERRNO(EPERM), ++ SCMP_SYS(mkdir), ++ 1, ++ SCMP_A1(SCMP_CMP_MASKED_EQ, m, m)); ++ if (r < 0) ++ break; ++ ++ r = seccomp_rule_add_exact( ++ seccomp, ++ SCMP_ACT_ERRNO(EPERM), ++ SCMP_SYS(mkdirat), ++ 1, ++ SCMP_A2(SCMP_CMP_MASKED_EQ, m, m)); ++ if (r < 0) ++ break; ++ ++ r = seccomp_rule_add_exact( ++ seccomp, ++ SCMP_ACT_ERRNO(EPERM), ++ SCMP_SYS(mknod), ++ 1, ++ SCMP_A1(SCMP_CMP_MASKED_EQ, m, m)); ++ if (r < 0) ++ break; ++ ++ r = seccomp_rule_add_exact( ++ seccomp, ++ SCMP_ACT_ERRNO(EPERM), ++ SCMP_SYS(mknodat), ++ 1, ++ SCMP_A2(SCMP_CMP_MASKED_EQ, m, m)); ++ if (r < 0) ++ break; ++ ++ r = seccomp_rule_add_exact( ++ seccomp, ++ SCMP_ACT_ERRNO(EPERM), ++ SCMP_SYS(open), ++ 2, ++ SCMP_A1(SCMP_CMP_MASKED_EQ, O_CREAT, O_CREAT), ++ SCMP_A2(SCMP_CMP_MASKED_EQ, m, m)); ++ if (r < 0) ++ break; ++ ++ r = seccomp_rule_add_exact( ++ seccomp, ++ SCMP_ACT_ERRNO(EPERM), ++ SCMP_SYS(openat), ++ 2, ++ SCMP_A2(SCMP_CMP_MASKED_EQ, O_CREAT, O_CREAT), ++ SCMP_A3(SCMP_CMP_MASKED_EQ, m, m)); ++ if (r < 0) ++ break; ++ ++ r = seccomp_rule_add_exact( ++ seccomp, ++ SCMP_ACT_ERRNO(EPERM), ++ SCMP_SYS(creat), ++ 1, ++ SCMP_A1(SCMP_CMP_MASKED_EQ, m, m)); ++ if (r < 0) ++ break; ++ } ++ if (r < 0) { ++ log_debug_errno(r, "Failed to add suid/sgid rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); ++ continue; ++ } ++ ++ r = seccomp_load(seccomp); ++ if (IN_SET(r, -EPERM, -EACCES)) ++ return r; ++ if (r < 0) ++ log_debug_errno(r, "Failed to apply suid/sgid restrictions for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); ++ } ++ ++ return 0; ++} +diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h +index eac857afb9..a274333450 100644 +--- a/src/shared/seccomp-util.h ++++ b/src/shared/seccomp-util.h +@@ -85,6 +85,7 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist); + int seccomp_restrict_realtime(void); + int seccomp_memory_deny_write_execute(void); + int seccomp_lock_personality(unsigned long personality); ++int seccomp_restrict_suid_sgid(void); + + extern const uint32_t seccomp_local_archs[]; + +-- +2.23.0 + diff --git a/meta/recipes-core/systemd/systemd/CVE-2019-3843_p2.patch b/meta/recipes-core/systemd/systemd/CVE-2019-3843_p2.patch new file mode 100644 index 0000000000..bf9e4cd641 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/CVE-2019-3843_p2.patch @@ -0,0 +1,174 @@ +From 8c2b92f997255296186d3986cde04de57c652b73 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering <[email protected]> +Date: Wed, 20 Mar 2019 19:09:09 +0100 +Subject: [PATCH] core: expose SUID/SGID restriction as new unit setting + RestrictSUIDSGID= +Reply-To: [email protected] + +Signed-off-by: Muminul Islam <[email protected]> + +CVE: CVE-2019-3843 +Upstream-Status: Backport +Upstream Commit: https://github.com/systemd/systemd/commit/f69567cbe26d09eac9d387c0be0fc32c65a83ada +--- + src/core/dbus-execute.c | 4 ++++ + src/core/execute.c | 22 +++++++++++++++++++ + src/core/execute.h | 1 + + src/core/load-fragment-gperf.gperf.m4 | 2 ++ + src/shared/bus-unit-util.c | 12 +++++----- + test/fuzz-corpus/unit-file/directives.service | 1 + + 6 files changed, 36 insertions(+), 6 deletions(-) + +diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c +index c44970c10c..41dfb36377 100644 +--- a/src/core/dbus-execute.c ++++ b/src/core/dbus-execute.c +@@ -769,6 +769,7 @@ const sd_bus_vtable bus_exec_vtable[] = { + SD_BUS_PROPERTY("ConfigurationDirectory", "as", NULL, offsetof(ExecContext, directories[EXEC_DIRECTORY_CONFIGURATION].paths), SD_BUS_VTABLE_PROPERTY_CONST), + SD_BUS_PROPERTY("MemoryDenyWriteExecute", "b", bus_property_get_bool, offsetof(ExecContext, memory_deny_write_execute), SD_BUS_VTABLE_PROPERTY_CONST), + SD_BUS_PROPERTY("RestrictRealtime", "b", bus_property_get_bool, offsetof(ExecContext, restrict_realtime), SD_BUS_VTABLE_PROPERTY_CONST), ++ SD_BUS_PROPERTY("RestrictSUIDSGID", "b", bus_property_get_bool, offsetof(ExecContext, restrict_suid_sgid), SD_BUS_VTABLE_PROPERTY_CONST), + SD_BUS_PROPERTY("RestrictNamespaces", "t", bus_property_get_ulong, offsetof(ExecContext, restrict_namespaces), SD_BUS_VTABLE_PROPERTY_CONST), + SD_BUS_PROPERTY("BindPaths", "a(ssbt)", property_get_bind_paths, 0, SD_BUS_VTABLE_PROPERTY_CONST), + SD_BUS_PROPERTY("BindReadOnlyPaths", "a(ssbt)", property_get_bind_paths, 0, SD_BUS_VTABLE_PROPERTY_CONST), +@@ -1127,6 +1128,9 @@ int bus_exec_context_set_transient_property( + if (streq(name, "RestrictRealtime")) + return bus_set_transient_bool(u, name, &c->restrict_realtime, message, flags, error); + ++ if (streq(name, "RestrictSUIDSGID")) ++ return bus_set_transient_bool(u, name, &c->restrict_suid_sgid, message, flags, error); ++ + if (streq(name, "DynamicUser")) + return bus_set_transient_bool(u, name, &c->dynamic_user, message, flags, error); + +diff --git a/src/core/execute.c b/src/core/execute.c +index 8ac69d1a0f..e7f78f7f32 100644 +--- a/src/core/execute.c ++++ b/src/core/execute.c +@@ -1366,6 +1366,7 @@ static bool context_has_no_new_privileges(const ExecContext *c) { + return context_has_address_families(c) || + c->memory_deny_write_execute || + c->restrict_realtime || ++ c->restrict_suid_sgid || + exec_context_restrict_namespaces_set(c) || + c->protect_kernel_tunables || + c->protect_kernel_modules || +@@ -1470,6 +1471,19 @@ static int apply_restrict_realtime(const Unit* u, const ExecContext *c) { + return seccomp_restrict_realtime(); + } + ++static int apply_restrict_suid_sgid(const Unit* u, const ExecContext *c) { ++ assert(u); ++ assert(c); ++ ++ if (!c->restrict_suid_sgid) ++ return 0; ++ ++ if (skip_seccomp_unavailable(u, "RestrictSUIDSGID=")) ++ return 0; ++ ++ return seccomp_restrict_suid_sgid(); ++} ++ + static int apply_protect_sysctl(const Unit *u, const ExecContext *c) { + assert(u); + assert(c); +@@ -3331,6 +3345,12 @@ static int exec_child( + return log_unit_error_errno(unit, r, "Failed to apply realtime restrictions: %m"); + } + ++ r = apply_restrict_suid_sgid(unit, context); ++ if (r < 0) { ++ *exit_status = EXIT_SECCOMP; ++ return log_unit_error_errno(unit, r, "Failed to apply SUID/SGID restrictions: %m"); ++ } ++ + r = apply_restrict_namespaces(unit, context); + if (r < 0) { + *exit_status = EXIT_SECCOMP; +@@ -3920,6 +3940,7 @@ void exec_context_dump(const ExecContext *c, FILE* f, const char *prefix) { + "%sIgnoreSIGPIPE: %s\n" + "%sMemoryDenyWriteExecute: %s\n" + "%sRestrictRealtime: %s\n" ++ "%sRestrictSUIDSGID: %s\n" + "%sKeyringMode: %s\n", + prefix, c->umask, + prefix, c->working_directory ? c->working_directory : "/", +@@ -3938,6 +3959,7 @@ void exec_context_dump(const ExecContext *c, FILE* f, const char *prefix) { + prefix, yes_no(c->ignore_sigpipe), + prefix, yes_no(c->memory_deny_write_execute), + prefix, yes_no(c->restrict_realtime), ++ prefix, yes_no(c->restrict_suid_sgid), + prefix, exec_keyring_mode_to_string(c->keyring_mode)); + + if (c->root_image) +diff --git a/src/core/execute.h b/src/core/execute.h +index 77ffe82323..e6319cee8a 100644 +--- a/src/core/execute.h ++++ b/src/core/execute.h +@@ -260,6 +260,7 @@ struct ExecContext { + + bool memory_deny_write_execute; + bool restrict_realtime; ++ bool restrict_suid_sgid; + + bool oom_score_adjust_set:1; + bool nice_set:1; +diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4 +index 15fb47838c..692edcb101 100644 +--- a/src/core/load-fragment-gperf.gperf.m4 ++++ b/src/core/load-fragment-gperf.gperf.m4 +@@ -72,6 +72,7 @@ $1.SystemCallErrorNumber, config_parse_syscall_errno, 0, + $1.MemoryDenyWriteExecute, config_parse_bool, 0, offsetof($1, exec_context.memory_deny_write_execute) + $1.RestrictNamespaces, config_parse_restrict_namespaces, 0, offsetof($1, exec_context) + $1.RestrictRealtime, config_parse_bool, 0, offsetof($1, exec_context.restrict_realtime) ++$1.RestrictSUIDSGID, config_parse_bool, 0, offsetof($1, exec_context.restrict_suid_sgid) + $1.RestrictAddressFamilies, config_parse_address_families, 0, offsetof($1, exec_context) + $1.LockPersonality, config_parse_bool, 0, offsetof($1, exec_context.lock_personality)', + `$1.SystemCallFilter, config_parse_warn_compat, DISABLED_CONFIGURATION, 0 +@@ -80,6 +81,7 @@ $1.SystemCallErrorNumber, config_parse_warn_compat, DISABLED_CO + $1.MemoryDenyWriteExecute, config_parse_warn_compat, DISABLED_CONFIGURATION, 0 + $1.RestrictNamespaces, config_parse_warn_compat, DISABLED_CONFIGURATION, 0 + $1.RestrictRealtime, config_parse_warn_compat, DISABLED_CONFIGURATION, 0 ++$1.RestrictSUIDSGID, config_parse_warn_compat, DISABLED_CONFIGURATION, 0 + $1.RestrictAddressFamilies, config_parse_warn_compat, DISABLED_CONFIGURATION, 0 + $1.LockPersonality, config_parse_warn_compat, DISABLED_CONFIGURATION, 0') + $1.LimitCPU, config_parse_rlimit, RLIMIT_CPU, offsetof($1, exec_context.rlimit) +diff --git a/src/shared/bus-unit-util.c b/src/shared/bus-unit-util.c +index 3238b442c0..c2f9720c33 100644 +--- a/src/shared/bus-unit-util.c ++++ b/src/shared/bus-unit-util.c +@@ -692,12 +692,12 @@ static int bus_append_execute_property(sd_bus_message *m, const char *field, con + return bus_append_string(m, field, eq); + + if (STR_IN_SET(field, +- "IgnoreSIGPIPE", "TTYVHangup", "TTYReset", "TTYVTDisallocate", +- "PrivateTmp", "PrivateDevices", "PrivateNetwork", "PrivateUsers", +- "PrivateMounts", "NoNewPrivileges", "SyslogLevelPrefix", +- "MemoryDenyWriteExecute", "RestrictRealtime", "DynamicUser", "RemoveIPC", +- "ProtectKernelTunables", "ProtectKernelModules", "ProtectControlGroups", +- "MountAPIVFS", "CPUSchedulingResetOnFork", "LockPersonality")) ++ "IgnoreSIGPIPE", "TTYVHangup", "TTYReset", "TTYVTDisallocate", "PrivateTmp", ++ "PrivateDevices", "PrivateNetwork", "PrivateUsers", "PrivateMounts", ++ "NoNewPrivileges", "SyslogLevelPrefix", "MemoryDenyWriteExecute", "RestrictRealtime", ++ "DynamicUser", "RemoveIPC", "ProtectKernelTunables", "ProtectKernelModules", ++ "ProtectControlGroups", "MountAPIVFS", "CPUSchedulingResetOnFork", "LockPersonality", ++ "ProtectHostname", "RestrictSUIDSGID")) + + return bus_append_parse_boolean(m, field, eq); + +diff --git a/test/fuzz-corpus/unit-file/directives.service b/test/fuzz-corpus/unit-file/directives.service +index b35325fb6f..ad6cd8d712 100644 +--- a/test/fuzz-corpus/unit-file/directives.service ++++ b/test/fuzz-corpus/unit-file/directives.service +@@ -848,6 +848,7 @@ ReserveVT= + RestrictAddressFamilies= + RestrictNamespaces= + RestrictRealtime= ++RestrictSUIDSGID= + RuntimeDirectory= + RuntimeDirectoryMode= + RuntimeDirectoryPreserve= +-- +2.23.0 + diff --git a/meta/recipes-core/systemd/systemd/CVE-2019-3843_p3.patch b/meta/recipes-core/systemd/systemd/CVE-2019-3843_p3.patch new file mode 100644 index 0000000000..586b4118bf --- /dev/null +++ b/meta/recipes-core/systemd/systemd/CVE-2019-3843_p3.patch @@ -0,0 +1,90 @@ +From cd8496795c104c7e557f2d9207f75b896465dbee Mon Sep 17 00:00:00 2001 +From: Lennart Poettering <[email protected]> +Date: Wed, 20 Mar 2019 19:45:32 +0100 +Subject: [PATCH] man: document the new RestrictSUIDSGID= setting +Reply-To: [email protected] + +Signed-off-by: Muminul Islam <[email protected]> + +CVE: CVE-2019-3843 +Upstream-Status: Backport +Upstream Commit: https://github.com/systemd/systemd/commit/7445db6eb70e8d5989f481d0c5a08ace7047ae5b +--- + doc/TRANSIENT-SETTINGS.md | 1 + + man/systemd.exec.xml | 41 +++++++++++++++++++++++++++------------ + 2 files changed, 30 insertions(+), 12 deletions(-) + +diff --git a/doc/TRANSIENT-SETTINGS.md b/doc/TRANSIENT-SETTINGS.md +index ca9e8387b7..20c70a05f9 100644 +--- a/doc/TRANSIENT-SETTINGS.md ++++ b/doc/TRANSIENT-SETTINGS.md +@@ -147,6 +147,7 @@ All execution-related settings are available for transient units. + â MemoryDenyWriteExecute= + â RestrictNamespaces= + â RestrictRealtime= ++â RestrictSUIDSGID= + â RestrictAddressFamilies= + â LockPersonality= + â LimitCPU= +diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml +index 3bd790b485..2bdbc0608e 100644 +--- a/man/systemd.exec.xml ++++ b/man/systemd.exec.xml +@@ -348,18 +348,19 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting> + <varlistentry> + <term><varname>NoNewPrivileges=</varname></term> + +- <listitem><para>Takes a boolean argument. If true, ensures that the service process and all its children can +- never gain new privileges through <function>execve()</function> (e.g. via setuid or setgid bits, or filesystem +- capabilities). This is the simplest and most effective way to ensure that a process and its children can never +- elevate privileges again. Defaults to false, but certain settings override this and ignore the value of this +- setting. This is the case when <varname>SystemCallFilter=</varname>, +- <varname>SystemCallArchitectures=</varname>, <varname>RestrictAddressFamilies=</varname>, +- <varname>RestrictNamespaces=</varname>, <varname>PrivateDevices=</varname>, +- <varname>ProtectKernelTunables=</varname>, <varname>ProtectKernelModules=</varname>, +- <varname>MemoryDenyWriteExecute=</varname>, <varname>RestrictRealtime=</varname>, or +- <varname>LockPersonality=</varname> are specified. Note that even if this setting is overridden by them, +- <command>systemctl show</command> shows the original value of this setting. Also see +- <ulink url="https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html";>No New Privileges ++ <listitem><para>Takes a boolean argument. If true, ensures that the service process and all its ++ children can never gain new privileges through <function>execve()</function> (e.g. via setuid or ++ setgid bits, or filesystem capabilities). This is the simplest and most effective way to ensure that ++ a process and its children can never elevate privileges again. Defaults to false, but certain ++ settings override this and ignore the value of this setting. This is the case when ++ <varname>SystemCallFilter=</varname>, <varname>SystemCallArchitectures=</varname>, ++ <varname>RestrictAddressFamilies=</varname>, <varname>RestrictNamespaces=</varname>, ++ <varname>PrivateDevices=</varname>, <varname>ProtectKernelTunables=</varname>, ++ <varname>ProtectKernelModules=</varname>, <varname>MemoryDenyWriteExecute=</varname>, ++ <varname>RestrictRealtime=</varname>, <varname>RestrictSUIDSGID=</varname> or ++ <varname>LockPersonality=</varname> are specified. Note that even if this setting is overridden by ++ them, <command>systemctl show</command> shows the original value of this setting. Also see <ulink ++ url="https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html";>No New Privileges + Flag</ulink>. </para></listitem> + </varlistentry> + +@@ -1252,6 +1253,22 @@ RestrictNamespaces=~cgroup net</programlisting> + that actually require them. Defaults to off.</para></listitem> + </varlistentry> + ++ <varlistentry> ++ <term><varname>RestrictSUIDSGID=</varname></term> ++ ++ <listitem><para>Takes a boolean argument. If set, any attempts to set the set-user-ID (SUID) or ++ set-group-ID (SGID) bits on files or directories will be denied (for details on these bits see ++ <citerefentry ++ project='man-pages'><refentrytitle>inode</refentrytitle><manvolnum>7</manvolnum></citerefentry>). If ++ running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> ++ capability (e.g. setting <varname>User=</varname>), <varname>NoNewPrivileges=yes</varname> is ++ implied. As the SUID/SGID bits are mechanisms to elevate privileges, and allows users to acquire the ++ identity of other users, it is recommended to restrict creation of SUID/SGID files to the few ++ programs that actually require them. Note that this restricts marking of any type of file system ++ object with these bits, including both regular files and directories (where the SGID is a different ++ meaning than for files, see documentation). Defaults to off.</para></listitem> ++ </varlistentry> ++ + <varlistentry> + <term><varname>RemoveIPC=</varname></term> + +-- +2.23.0 + diff --git a/meta/recipes-core/systemd/systemd/CVE-2019-3843_p4.patch b/meta/recipes-core/systemd/systemd/CVE-2019-3843_p4.patch new file mode 100644 index 0000000000..ae2d8f7999 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/CVE-2019-3843_p4.patch @@ -0,0 +1,163 @@ +From a331bccfacc286c8f8d75544548a47d098c9d580 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering <[email protected]> +Date: Wed, 20 Mar 2019 19:52:20 +0100 +Subject: [PATCH] units: turn on RestrictSUIDSGID= in most of our long-running + daemons +Reply-To: [email protected] + +Signed-off-by: Muminul Islam <[email protected]> +CVE: CVE-2019-3843 +Upstream-Status: Backport +Upstream Commit: https://github.com/systemd/systemd/commit/62aa29247c3d74bcec0607c347f2be23cd90675d +--- + units/[email protected] | 1 + + units/systemd-hostnamed.service.in | 1 + + units/systemd-journal-remote.service.in | 1 + + units/systemd-journald.service.in | 1 + + units/systemd-localed.service.in | 1 + + units/systemd-logind.service.in | 1 + + units/systemd-networkd.service.in | 1 + + units/systemd-resolved.service.in | 1 + + units/systemd-timedated.service.in | 1 + + units/systemd-timesyncd.service.in | 1 + + units/systemd-udevd.service.in | 3 ++- + 11 files changed, 12 insertions(+), 1 deletion(-) + +diff --git a/units/[email protected] b/units/[email protected] +index 215696ecd1..08ecedbe56 100644 +--- a/units/[email protected] ++++ b/units/[email protected] +@@ -31,6 +31,7 @@ ProtectKernelTunables=yes + ProtectKernelModules=yes + MemoryDenyWriteExecute=yes + RestrictRealtime=yes ++RestrictSUIDSGID=yes + RestrictNamespaces=yes + RestrictAddressFamilies=AF_UNIX + SystemCallFilter=@system-service +diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in +index da74b4fe8b..a6e07781ce 100644 +--- a/units/systemd-hostnamed.service.in ++++ b/units/systemd-hostnamed.service.in +@@ -27,6 +27,7 @@ ProtectKernelTunables=yes + ProtectKernelModules=yes + MemoryDenyWriteExecute=yes + RestrictRealtime=yes ++RestrictSUIDSGID=yes + RestrictNamespaces=yes + RestrictAddressFamilies=AF_UNIX + SystemCallFilter=@system-service sethostname +diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in +index a94265f215..05a166f587 100644 +--- a/units/systemd-journal-remote.service.in ++++ b/units/systemd-journal-remote.service.in +@@ -26,6 +26,7 @@ ProtectKernelTunables=yes + ProtectKernelModules=yes + MemoryDenyWriteExecute=yes + RestrictRealtime=yes ++RestrictSUIDSGID=yes + RestrictNamespaces=yes + RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 + SystemCallArchitectures=native +diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in +index 52939e6820..ad7d979d1c 100644 +--- a/units/systemd-journald.service.in ++++ b/units/systemd-journald.service.in +@@ -27,6 +27,7 @@ FileDescriptorStoreMax=4224 + CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE + MemoryDenyWriteExecute=yes + RestrictRealtime=yes ++RestrictSUIDSGID=yes + RestrictNamespaces=yes + RestrictAddressFamilies=AF_UNIX AF_NETLINK + SystemCallFilter=@system-service +diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in +index a24e61a0cd..a9f3ab8c6e 100644 +--- a/units/systemd-localed.service.in ++++ b/units/systemd-localed.service.in +@@ -27,6 +27,7 @@ ProtectKernelTunables=yes + ProtectKernelModules=yes + MemoryDenyWriteExecute=yes + RestrictRealtime=yes ++RestrictSUIDSGID=yes + RestrictNamespaces=yes + RestrictAddressFamilies=AF_UNIX + SystemCallFilter=@system-service +diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in +index 5e090bcf23..af28364bbf 100644 +--- a/units/systemd-logind.service.in ++++ b/units/systemd-logind.service.in +@@ -28,6 +28,7 @@ WatchdogSec=3min + CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG + MemoryDenyWriteExecute=yes + RestrictRealtime=yes ++RestrictSUIDSGID=yes + RestrictNamespaces=yes + RestrictAddressFamilies=AF_UNIX AF_NETLINK + SystemCallFilter=@system-service +diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in +index 371ab3a9cf..dd42baf610 100644 +--- a/units/systemd-networkd.service.in ++++ b/units/systemd-networkd.service.in +@@ -33,6 +33,7 @@ ProtectControlGroups=yes + ProtectKernelModules=yes + MemoryDenyWriteExecute=yes + RestrictRealtime=yes ++RestrictSUIDSGID=yes + RestrictNamespaces=yes + RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET + SystemCallFilter=@system-service +diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in +index 9982ecebff..49444298ee 100644 +--- a/units/systemd-resolved.service.in ++++ b/units/systemd-resolved.service.in +@@ -36,6 +36,7 @@ ProtectKernelTunables=yes + ProtectKernelModules=yes + MemoryDenyWriteExecute=yes + RestrictRealtime=yes ++RestrictSUIDSGID=yes + RestrictNamespaces=yes + RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 + SystemCallFilter=@system-service +diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in +index 906bb4326c..7c210a6b16 100644 +--- a/units/systemd-timedated.service.in ++++ b/units/systemd-timedated.service.in +@@ -25,6 +25,7 @@ ProtectKernelTunables=yes + ProtectKernelModules=yes + MemoryDenyWriteExecute=yes + RestrictRealtime=yes ++RestrictSUIDSGID=yes + RestrictNamespaces=yes + RestrictAddressFamilies=AF_UNIX + SystemCallFilter=@system-service @clock +diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in +index 4a490b6e16..8f614193ce 100644 +--- a/units/systemd-timesyncd.service.in ++++ b/units/systemd-timesyncd.service.in +@@ -35,6 +35,7 @@ ProtectKernelTunables=yes + ProtectKernelModules=yes + MemoryDenyWriteExecute=yes + RestrictRealtime=yes ++RestrictSUIDSGID=yes + RestrictNamespaces=yes + RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 + RuntimeDirectory=systemd/timesync +diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in +index 6a3814e5d9..aa81dc5fbc 100644 +--- a/units/systemd-udevd.service.in ++++ b/units/systemd-udevd.service.in +@@ -27,8 +27,9 @@ WatchdogSec=3min + TasksMax=infinity + PrivateMounts=yes + MemoryDenyWriteExecute=yes +-RestrictRealtime=yes + RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 ++RestrictRealtime=yes ++RestrictSUIDSGID=yes + SystemCallFilter=@system-service @module @raw-io + SystemCallErrorNumber=EPERM + SystemCallArchitectures=native +-- +2.23.0 + diff --git a/meta/recipes-core/systemd/systemd/CVE-2019-3844.patch b/meta/recipes-core/systemd/systemd/CVE-2019-3844.patch new file mode 100644 index 0000000000..721268e741 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/CVE-2019-3844.patch @@ -0,0 +1,96 @@ +From 31bc7e4ce2ee4757663c13ed3f98f8fb90c57fd1 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering <[email protected]> +Date: Wed, 20 Mar 2019 20:19:38 +0100 +Subject: [PATCH] core: imply NNP and SUID/SGID restriction for DynamicUser=yes + service +Reply-To: [email protected] + +Let's be safe, rather than sorry. This way DynamicUser=yes services can +neither take benefit of, nor create SUID/SGID binaries. + +Given that DynamicUser= is a recent addition only we should be able to +get away with turning this on, even though this is strictly speaking a +binary compatibility breakage. + +Signed-off-by: Muminul Islam <[email protected]> + +CVE: CVE-2019-3844 +Upstream-Status: Backport +Upstream Commit: https://github.com/systemd/systemd/commit/bf65b7e0c9fc215897b676ab9a7c9d1c688143ba +--- + man/systemd.exec.xml | 16 ++++++++++------ + src/core/unit.c | 10 ++++++++-- + 2 files changed, 18 insertions(+), 8 deletions(-) + +diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml +index 2bdbc0608e..b02fff4ec8 100644 +--- a/man/systemd.exec.xml ++++ b/man/systemd.exec.xml +@@ -229,7 +229,9 @@ + created by the executed processes is bound to the runtime of the service, and hence the lifetime of the dynamic + user/group. Since <filename>/tmp</filename> and <filename>/var/tmp</filename> are usually the only + world-writable directories on a system this ensures that a unit making use of dynamic user/group allocation +- cannot leave files around after unit termination. Moreover <varname>ProtectSystem=strict</varname> and ++ cannot leave files around after unit termination. Furthermore <varname>NoNewPrivileges=</varname> and ++ <varname>RestrictSUIDSGID=</varname> are implicitly enabled to ensure that processes invoked cannot take benefit or create SUID/SGID files ++ or directories Moreover <varname>ProtectSystem=strict</varname> and + <varname>ProtectHome=read-only</varname> are implied, thus prohibiting the service to write to arbitrary file + system locations. In order to allow the service to write to certain directories, they have to be whitelisted + using <varname>ReadWritePaths=</varname>, but care must be taken so that UID/GID recycling doesn't create +@@ -357,11 +359,12 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting> + <varname>RestrictAddressFamilies=</varname>, <varname>RestrictNamespaces=</varname>, + <varname>PrivateDevices=</varname>, <varname>ProtectKernelTunables=</varname>, + <varname>ProtectKernelModules=</varname>, <varname>MemoryDenyWriteExecute=</varname>, +- <varname>RestrictRealtime=</varname>, <varname>RestrictSUIDSGID=</varname> or +- <varname>LockPersonality=</varname> are specified. Note that even if this setting is overridden by +- them, <command>systemctl show</command> shows the original value of this setting. Also see <ulink ++ <varname>RestrictRealtime=</varname>, <varname>RestrictSUIDSGID=</varname>, ++ <varname>DynamicUser=</varname> or <varname>LockPersonality=</varname> are specified. Note that even ++ if this setting is overridden by them, <command>systemctl show</command> shows the original value of ++ this setting. Also see <ulink + url="https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html";>No New Privileges +- Flag</ulink>. </para></listitem> ++ Flag</ulink>.</para></listitem> + </varlistentry> + + <varlistentry> +@@ -1266,7 +1269,8 @@ RestrictNamespaces=~cgroup net</programlisting> + identity of other users, it is recommended to restrict creation of SUID/SGID files to the few + programs that actually require them. Note that this restricts marking of any type of file system + object with these bits, including both regular files and directories (where the SGID is a different +- meaning than for files, see documentation). Defaults to off.</para></listitem> ++ meaning than for files, see documentation). This option is implied if <varname>DynamicUser=</varname> ++ is enabled. Defaults to off.</para></listitem> + </varlistentry> + + <varlistentry> +diff --git a/src/core/unit.c b/src/core/unit.c +index a3556cc5ec..55b29c8447 100644 +--- a/src/core/unit.c ++++ b/src/core/unit.c +@@ -4133,14 +4133,20 @@ int unit_patch_contexts(Unit *u) { + return -ENOMEM; + } + +- /* If the dynamic user option is on, let's make sure that the unit can't leave its UID/GID +- * around in the file system or on IPC objects. Hence enforce a strict sandbox. */ ++ /* If the dynamic user option is on, let's make sure that the unit can't leave its ++ * UID/GID around in the file system or on IPC objects. Hence enforce a strict ++ * sandbox. */ + + ec->private_tmp = true; + ec->remove_ipc = true; + ec->protect_system = PROTECT_SYSTEM_STRICT; + if (ec->protect_home == PROTECT_HOME_NO) + ec->protect_home = PROTECT_HOME_READ_ONLY; ++ ++ /* Make sure this service can neither benefit from SUID/SGID binaries nor create ++ * them. */ ++ ec->no_new_privileges = true; ++ ec->restrict_suid_sgid = true; + } + } + +-- +2.23.0 + diff --git a/meta/recipes-core/systemd/systemd_239.bb b/meta/recipes-core/systemd/systemd_239.bb index 7fbd64ced7..2bc51cee2c 100644 --- a/meta/recipes-core/systemd/systemd_239.bb +++ b/meta/recipes-core/systemd/systemd_239.bb @@ -43,6 +43,12 @@ SRC_URI += "file://touchscreen.rules \ file://0026-journal-fix-out-of-bounds-read-CVE-2018-16866.patch \ file://CVE-2019-6454.patch \ file://sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch \ + file://CVE-2019-3842.patch \ + file://CVE-2019-3843_p1.patch \ + file://CVE-2019-3843_p2.patch \ + file://CVE-2019-3843_p3.patch \ + file://CVE-2019-3843_p4.patch \ + file://CVE-2019-3842.patch \ " # patches made for musl are only applied on TCLIBC is musl -- 2.23.0
-- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
