2 files changed, 39 insertions, 0 deletions
diff --git a/meta/recipes-core/systemd/systemd/0003-coredump-set-ProtectHome-to-read-only.patch b/meta/recipes-core/systemd/systemd/0003-coredump-set-ProtectHome-to-read-only.patch
new file mode 100644
index 0000000000..feb1178d23
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0003-coredump-set-ProtectHome-to-read-only.patch
@@ -0,0 +1,38 @@
+From 4ac1755be2d6c141fae7e57c42936e507c5b54e3 Mon Sep 17 00:00:00 2001
+From: Etienne Cordonnier <ecordonnier@snap.com>
+Date: Fri, 6 Sep 2024 10:36:28 +0200
+Subject: [PATCH] coredump: set ProtectHome to read-only
+In https://github.com/systemd/systemd/pull/5283/commits/924453c22599cc246746a0233b2f52a27ade0819
+ProtectHome was set to true for systemd-coredump in order to reduce risk, since an attacker could craft a malicious binary in order to compromise systemd-coredump.
+At that point the object analysis was done in the main systemd-coredump process.
+Because of this systemd-coredump is unable to product symbolicated call-stacks for binaries running under /home ("n/a" is shown instead of function names).
+However, later in https://github.com/systemd/systemd/commit/61aea456c12c54f49c4a76259af130e576130ce9 systemd-coredump was changed to do the object analysis in a forked process,
+covering those security concerns.
+Let's set ProtectHome to read-only so that systemd-coredump produces symbolicated call-stacks for processes running under /home.
+Upstream-Status: Backport [https://github.com/systemd/systemd/commit/4ac1755be2d6c141fae7e57c42936e507c5b54e3]
+Signed-off-by: Etienne Cordonnier <ecordonnier@snap.com>
+---
+ units/systemd-coredump@.service.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
+index 012c60d2f6..fa3206d07b 100644
+--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
+@@ -28,7 +28,7 @@ PrivateDevices=yes
+ PrivateNetwork=yes
+ PrivateTmp=yes
+ ProtectControlGroups=yes
+-ProtectHome=yes
+ProtectHome=read-only
+ ProtectHostname=yes
+ ProtectKernelModules=yes
+ ProtectKernelTunables=yes
+-- 
+2.43.0
diff --git a/meta/recipes-core/systemd/systemd_256.5.bb b/meta/recipes-core/systemd/systemd_256.5.bb
index 11b0fc5f05..db053b4542 100644
--- a/meta/recipes-core/systemd/systemd_256.5.bb
+++ b/meta/recipes-core/systemd/systemd_256.5.bb
@@ -28,6 +28,7 @@ SRC_URI += " \
           file://systemd-pager.sh \
           file://0001-binfmt-Don-t-install-dependency-links-at-install-tim.patch \
           file://0002-implment-systemd-sysv-install-for-OE.patch \
+           file://0003-coredump-set-ProtectHome-to-read-only.patch \
           "
 # patches needed by musl

diff --git a/meta/recipes-core/systemd/systemd/0003-coredump-set-ProtectHome-to-read-only.patch b/meta/recipes-core/systemd/systemd/0003-coredump-set-ProtectHome-to-read-only.patch new file mode 100644 index 0000000000..feb1178d23 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0003-coredump-set-ProtectHome-to-read-only.patch
@@ -0,0 +1,38 @@
		1	From 4ac1755be2d6c141fae7e57c42936e507c5b54e3 Mon Sep 17 00:00:00 2001
		2	From: Etienne Cordonnier <ecordonnier@snap.com>
		3	Date: Fri, 6 Sep 2024 10:36:28 +0200
		4	Subject: [PATCH] coredump: set ProtectHome to read-only
		5
		6	In https://github.com/systemd/systemd/pull/5283/commits/924453c22599cc246746a0233b2f52a27ade0819
		7	ProtectHome was set to true for systemd-coredump in order to reduce risk, since an attacker could craft a malicious binary in order to compromise systemd-coredump.
		8	At that point the object analysis was done in the main systemd-coredump process.
		9	Because of this systemd-coredump is unable to product symbolicated call-stacks for binaries running under /home ("n/a" is shown instead of function names).
		10
		11	However, later in https://github.com/systemd/systemd/commit/61aea456c12c54f49c4a76259af130e576130ce9 systemd-coredump was changed to do the object analysis in a forked process,
		12	covering those security concerns.
		13
		14	Let's set ProtectHome to read-only so that systemd-coredump produces symbolicated call-stacks for processes running under /home.
		15
		16	Upstream-Status: Backport [https://github.com/systemd/systemd/commit/4ac1755be2d6c141fae7e57c42936e507c5b54e3]
		17
		18	Signed-off-by: Etienne Cordonnier <ecordonnier@snap.com>
		19	---
		20	units/systemd-coredump@.service.in \| 2 +-
		21	1 file changed, 1 insertion(+), 1 deletion(-)
		22
		23	diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
		24	index 012c60d2f6..fa3206d07b 100644
		25	--- a/units/systemd-coredump@.service.in
		26	+++ b/units/systemd-coredump@.service.in
		27	@@ -28,7 +28,7 @@ PrivateDevices=yes
		28	PrivateNetwork=yes
		29	PrivateTmp=yes
		30	ProtectControlGroups=yes
		31	-ProtectHome=yes
		32	+ProtectHome=read-only
		33	ProtectHostname=yes
		34	ProtectKernelModules=yes
		35	ProtectKernelTunables=yes
		36	--
		37	2.43.0
		38


diff --git a/meta/recipes-core/systemd/systemd_256.5.bb b/meta/recipes-core/systemd/systemd_256.5.bb index 11b0fc5f05..db053b4542 100644 --- a/meta/recipes-core/systemd/systemd_256.5.bb +++ b/meta/recipes-core/systemd/systemd_256.5.bb
@@ -28,6 +28,7 @@ SRC_URI += " \
28	file://systemd-pager.sh \	28	file://systemd-pager.sh \
29	file://0001-binfmt-Don-t-install-dependency-links-at-install-tim.patch \	29	file://0001-binfmt-Don-t-install-dependency-links-at-install-tim.patch \
30	file://0002-implment-systemd-sysv-install-for-OE.patch \	30	file://0002-implment-systemd-sysv-install-for-OE.patch \
		31	file://0003-coredump-set-ProtectHome-to-read-only.patch \
31	"	32	"
32		33
33	# patches needed by musl	34	# patches needed by musl