Merge pull request #20023 from yuwata/re-enable-nosuid-mount-flag

core: reenable nosuid mount flag when NoNewPrivileges=yes
2025-01-11 05:17:44 +03:00 · 2021-06-25 14:21:05 +02:00 · 2021-06-25 14:21:05 +02:00 · a768492a33
commit a768492a33
parent 99df1cb6f5 5181630f26
4 changed files with 38 additions and 1 deletions
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@ -675,7 +675,9 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
        <varname>SystemCallArchitectures=</varname>,
        <varname>SystemCallFilter=</varname>, or
        <varname>SystemCallLog=</varname> are specified. Note that even if this setting is overridden
-        by them, <command>systemctl show</command> shows the original value of this setting. Also see
+        by them, <command>systemctl show</command> shows the original value of this setting. In case the
+        service will be run in a new mount namespace anyway and SELinux is disabled, all file systems
+        are mounted with <constant>MS_NOSUID</constant> flag. Also see
        <ulink url="https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html">No New
        Privileges Flag</ulink>.</para></listitem>
      </varlistentry>
--- a/src/core/execute.c
+++ b/src/core/execute.c
@ -3190,6 +3190,8 @@ static int apply_mount_namespace(
                        .protect_proc = context->protect_proc,
                        .proc_subset = context->proc_subset,
                        .private_ipc = context->private_ipc || context->ipc_namespace_path,
+                        /* If NNP is on, we can turn on MS_NOSUID, since it won't have any effect anymore. */
+                        .mount_nosuid = context->no_new_privileges && !mac_selinux_use(),
                };
        } else if (!context->dynamic_user && root_dir)
                /*
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@ -1473,6 +1473,27 @@ static int make_noexec(const MountEntry *m, char **deny_list, FILE *proc_self_mo
        return 0;
 }

+static int make_nosuid(const MountEntry *m, FILE *proc_self_mountinfo) {
+        bool submounts = false;
+        int r = 0;
+
+        assert(m);
+        assert(proc_self_mountinfo);
+
+        submounts = !IN_SET(m->mode, EMPTY_DIR, TMPFS);
+
+        if (submounts)
+                r = bind_remount_recursive_with_mountinfo(mount_entry_path(m), MS_NOSUID, MS_NOSUID, NULL, proc_self_mountinfo);
+        else
+                r = bind_remount_one_with_mountinfo(mount_entry_path(m), MS_NOSUID, MS_NOSUID, proc_self_mountinfo);
+        if (r == -ENOENT && m->ignore)
+                return 0;
+        if (r < 0)
+                return log_debug_errno(r, "Failed to re-mount '%s'%s: %m", mount_entry_path(m),
+                                       submounts ? " and its submounts" : "");
+        return 0;
+}
+
 static bool namespace_info_mount_apivfs(const NamespaceInfo *ns_info) {
        assert(ns_info);

@ -1669,6 +1690,17 @@ static int apply_mounts(
                }
        }

+        /* Fourth round, flip the nosuid bits without a deny list. */
+        if (ns_info->mount_nosuid)
+                for (MountEntry *m = mounts; m < mounts + *n_mounts; ++m) {
+                        r = make_nosuid(m, proc_self_mountinfo);
+                        if (r < 0) {
+                                if (error_path && mount_entry_path(m))
+                                        *error_path = strdup(mount_entry_path(m));
+                                return r;
+                        }
+                }
+
        return 1;
 }

--- a/src/core/namespace.h
+++ b/src/core/namespace.h
@ -74,6 +74,7 @@ struct NamespaceInfo {
        bool mount_apivfs;
        bool protect_hostname;
        bool private_ipc;
+        bool mount_nosuid;
        ProtectHome protect_home;
        ProtectSystem protect_system;
        ProtectProc protect_proc;