diff options
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-core/systemd/systemd/0003-coredump-set-ProtectHome-to-read-only.patch | 38 | ||||
-rw-r--r-- | meta/recipes-core/systemd/systemd_256.5.bb | 1 |
2 files changed, 39 insertions, 0 deletions
diff --git a/meta/recipes-core/systemd/systemd/0003-coredump-set-ProtectHome-to-read-only.patch b/meta/recipes-core/systemd/systemd/0003-coredump-set-ProtectHome-to-read-only.patch new file mode 100644 index 0000000000..feb1178d23 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0003-coredump-set-ProtectHome-to-read-only.patch | |||
@@ -0,0 +1,38 @@ | |||
1 | From 4ac1755be2d6c141fae7e57c42936e507c5b54e3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Etienne Cordonnier <ecordonnier@snap.com> | ||
3 | Date: Fri, 6 Sep 2024 10:36:28 +0200 | ||
4 | Subject: [PATCH] coredump: set ProtectHome to read-only | ||
5 | |||
6 | In https://github.com/systemd/systemd/pull/5283/commits/924453c22599cc246746a0233b2f52a27ade0819 | ||
7 | ProtectHome was set to true for systemd-coredump in order to reduce risk, since an attacker could craft a malicious binary in order to compromise systemd-coredump. | ||
8 | At that point the object analysis was done in the main systemd-coredump process. | ||
9 | Because of this systemd-coredump is unable to product symbolicated call-stacks for binaries running under /home ("n/a" is shown instead of function names). | ||
10 | |||
11 | However, later in https://github.com/systemd/systemd/commit/61aea456c12c54f49c4a76259af130e576130ce9 systemd-coredump was changed to do the object analysis in a forked process, | ||
12 | covering those security concerns. | ||
13 | |||
14 | Let's set ProtectHome to read-only so that systemd-coredump produces symbolicated call-stacks for processes running under /home. | ||
15 | |||
16 | Upstream-Status: Backport [https://github.com/systemd/systemd/commit/4ac1755be2d6c141fae7e57c42936e507c5b54e3] | ||
17 | |||
18 | Signed-off-by: Etienne Cordonnier <ecordonnier@snap.com> | ||
19 | --- | ||
20 | units/systemd-coredump@.service.in | 2 +- | ||
21 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
22 | |||
23 | diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in | ||
24 | index 012c60d2f6..fa3206d07b 100644 | ||
25 | --- a/units/systemd-coredump@.service.in | ||
26 | +++ b/units/systemd-coredump@.service.in | ||
27 | @@ -28,7 +28,7 @@ PrivateDevices=yes | ||
28 | PrivateNetwork=yes | ||
29 | PrivateTmp=yes | ||
30 | ProtectControlGroups=yes | ||
31 | -ProtectHome=yes | ||
32 | +ProtectHome=read-only | ||
33 | ProtectHostname=yes | ||
34 | ProtectKernelModules=yes | ||
35 | ProtectKernelTunables=yes | ||
36 | -- | ||
37 | 2.43.0 | ||
38 | |||
diff --git a/meta/recipes-core/systemd/systemd_256.5.bb b/meta/recipes-core/systemd/systemd_256.5.bb index 11b0fc5f05..db053b4542 100644 --- a/meta/recipes-core/systemd/systemd_256.5.bb +++ b/meta/recipes-core/systemd/systemd_256.5.bb | |||
@@ -28,6 +28,7 @@ SRC_URI += " \ | |||
28 | file://systemd-pager.sh \ | 28 | file://systemd-pager.sh \ |
29 | file://0001-binfmt-Don-t-install-dependency-links-at-install-tim.patch \ | 29 | file://0001-binfmt-Don-t-install-dependency-links-at-install-tim.patch \ |
30 | file://0002-implment-systemd-sysv-install-for-OE.patch \ | 30 | file://0002-implment-systemd-sysv-install-for-OE.patch \ |
31 | file://0003-coredump-set-ProtectHome-to-read-only.patch \ | ||
31 | " | 32 | " |
32 | 33 | ||
33 | # patches needed by musl | 34 | # patches needed by musl |