From 2e6025b1b1d6a7d38d8ab1539c857d239af1e3ee Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Thu, 12 Dec 2024 13:00:41 +0900 Subject: [PATCH 1/2] core/namespace: use ProtectHostname in NamespaceParameters To make the type of NamespaceParameters.protect_hostname consistent with the one in ExecContext. Addresses https://github.com/systemd/systemd/pull/35447#discussion_r1880372452. Fixes #35566. --- src/core/exec-invoke.c | 15 ++++++--------- src/core/namespace.c | 8 +++++--- src/core/namespace.h | 2 +- 3 files changed, 12 insertions(+), 13 deletions(-) diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c index fd306f11431..91ee10ac656 100644 --- a/src/core/exec-invoke.c +++ b/src/core/exec-invoke.c @@ -3419,16 +3419,12 @@ static int apply_mount_namespace( .protect_kernel_tunables = needs_sandboxing && context->protect_kernel_tunables, .protect_kernel_modules = needs_sandboxing && context->protect_kernel_modules, .protect_kernel_logs = needs_sandboxing && context->protect_kernel_logs, - /* Only mount /proc/sys/kernel/hostname and domainname read-only if ProtectHostname=yes. Otherwise, ProtectHostname=no - * allows changing hostname for the host and ProtectHostname=private allows changing the hostname in the unit's UTS - * namespace. */ - .protect_hostname = needs_sandboxing && context->protect_hostname == PROTECT_HOSTNAME_YES, .private_dev = needs_sandboxing && context->private_devices, .private_network = needs_sandboxing && exec_needs_network_namespace(context), .private_ipc = needs_sandboxing && exec_needs_ipc_namespace(context), .private_pids = needs_sandboxing && exec_needs_pid_namespace(context) ? context->private_pids : PRIVATE_PIDS_NO, - .private_tmp = needs_sandboxing ? context->private_tmp : false, + .private_tmp = needs_sandboxing ? context->private_tmp : PRIVATE_TMP_NO, .mount_apivfs = needs_sandboxing && exec_context_get_effective_mount_apivfs(context), .bind_log_sockets = needs_sandboxing && exec_context_get_effective_bind_log_sockets(context), @@ -3436,10 +3432,11 @@ static int apply_mount_namespace( /* If NNP is on, we can turn on MS_NOSUID, since it won't have any effect anymore. */ .mount_nosuid = needs_sandboxing && context->no_new_privileges && !mac_selinux_use(), - .protect_home = needs_sandboxing ? context->protect_home : false, - .protect_system = needs_sandboxing ? context->protect_system : false, - .protect_proc = needs_sandboxing ? context->protect_proc : false, - .proc_subset = needs_sandboxing ? context->proc_subset : false, + .protect_home = needs_sandboxing ? context->protect_home : PROTECT_HOME_NO, + .protect_hostname = needs_sandboxing ? context->protect_hostname : PROTECT_HOSTNAME_NO, + .protect_system = needs_sandboxing ? context->protect_system : PROTECT_SYSTEM_NO, + .protect_proc = needs_sandboxing ? context->protect_proc : PROTECT_PROC_DEFAULT, + .proc_subset = needs_sandboxing ? context->proc_subset : PROC_SUBSET_ALL, }; r = setup_namespace(¶meters, reterr_path); diff --git a/src/core/namespace.c b/src/core/namespace.c index 2f3b8f03d13..c3acfa203c8 100644 --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -2637,9 +2637,11 @@ int setup_namespace(const NamespaceParameters *p, char **reterr_path) { return r; } - /* Note, if proc is mounted with subset=pid then neither of the two paths will exist, i.e. they are - * implicitly protected by the mount option. */ - if (p->protect_hostname) { + /* Only mount /proc/sys/kernel/hostname and domainname read-only if ProtectHostname=yes. Otherwise, + * ProtectHostname=no allows changing hostname for the host, and ProtectHostname=private allows + * changing the hostname in the unit's UTS namespace. Note, if proc is mounted with subset=pid then + * neither of the two paths will exist, i.e. they are implicitly protected by the mount option. */ + if (p->protect_hostname == PROTECT_HOSTNAME_YES) { r = append_static_mounts( &ml, protect_hostname_yes_table, diff --git a/src/core/namespace.h b/src/core/namespace.h index 96f62be30a2..21ae5a991db 100644 --- a/src/core/namespace.h +++ b/src/core/namespace.h @@ -181,7 +181,6 @@ struct NamespaceParameters { bool protect_kernel_tunables; bool protect_kernel_modules; bool protect_kernel_logs; - bool protect_hostname; bool private_dev; bool private_network; @@ -193,6 +192,7 @@ struct NamespaceParameters { ProtectControlGroups protect_control_groups; ProtectHome protect_home; + ProtectHostname protect_hostname; ProtectSystem protect_system; ProtectProc protect_proc; ProcSubset proc_subset; From ef9a3241b37690ee0e76d84d48f82135da42e48b Mon Sep 17 00:00:00 2001 From: Yu Watanabe Date: Thu, 12 Dec 2024 15:14:32 +0900 Subject: [PATCH 2/2] mkosi: wrap unshare command when running with sanitizers Follow-up for 219a6dbbf3ad0121ec43118d4fcdb7b375532cbe. Fixes #35546. --- mkosi.sanitizers/mkosi.postinst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/mkosi.sanitizers/mkosi.postinst b/mkosi.sanitizers/mkosi.postinst index e83d05c6bc9..af9db439112 100755 --- a/mkosi.sanitizers/mkosi.postinst +++ b/mkosi.sanitizers/mkosi.postinst @@ -78,6 +78,7 @@ wrap=( su tar tgtd + unshare useradd userdel veritysetup @@ -100,7 +101,7 @@ for bin in "${wrap[@]}"; do cat >"$BUILDROOT/$target" <