2 files changed, 153 insertions, 0 deletions
diff --git a/meta/recipes-core/systemd/systemd/0001-seccomp-more-comprehensive-protection-against-libsec.patch b/meta/recipes-core/systemd/systemd/0001-seccomp-more-comprehensive-protection-against-libsec.patch
new file mode 100644
index 0000000000..f359d2879b
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0001-seccomp-more-comprehensive-protection-against-libsec.patch
@@ -0,0 +1,152 @@
+From 4df8fe8415eaf4abd5b93c3447452547c6ea9e5f Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Thu, 14 Nov 2019 17:51:30 +0100
+Subject: [PATCH] seccomp: more comprehensive protection against libseccomp's
+ __NR_xyz namespace invasion
+A follow-up for 59b657296a2fe104f112b91bbf9301724067cc81, adding the
+same conditioning for all cases of our __NR_xyz use.
+Fixes: #14031
+Reference:
+https://github.com/systemd/systemd/pull/14032/commits/62f66fdbcc33580467c01b1f149474b6c973df5a
+Upstream-Status: Backport
+Signed-off-by: Ming Liu <liu.ming50@gmail.com>
+---
+ src/basic/missing_syscall.h | 10 +++++-----
+ src/test/test-seccomp.c     | 19 ++++++++++---------
+ 2 files changed, 15 insertions(+), 14 deletions(-)
+diff --git a/src/basic/missing_syscall.h b/src/basic/missing_syscall.h
+index 6d9b125..1255d8b 100644
+--- a/src/basic/missing_syscall.h
+++ b/src/basic/missing_syscall.h
+@@ -274,7 +274,7 @@ static inline int missing_renameat2(int oldfd, const char *oldname, int newfd, c
+ 
+ #if !HAVE_KCMP
+ static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long idx1, unsigned long idx2) {
+-#  ifdef __NR_kcmp
+#  if defined __NR_kcmp && __NR_kcmp > 0
+         return syscall(__NR_kcmp, pid1, pid2, type, idx1, idx2);
+ #  else
+         errno = ENOSYS;
+@@ -289,7 +289,7 @@ static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long i
+ 
+ #if !HAVE_KEYCTL
+ static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5) {
+-#  ifdef __NR_keyctl
+#  if defined __NR_keyctl && __NR_keyctl > 0
+         return syscall(__NR_keyctl, cmd, arg2, arg3, arg4, arg5);
+ #  else
+         errno = ENOSYS;
+@@ -300,7 +300,7 @@ static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg
+ }
+ 
+ static inline key_serial_t missing_add_key(const char *type, const char *description, const void *payload, size_t plen, key_serial_t ringid) {
+-#  ifdef __NR_add_key
+#  if defined __NR_add_key && __NR_add_key > 0
+         return syscall(__NR_add_key, type, description, payload, plen, ringid);
+ #  else
+         errno = ENOSYS;
+@@ -311,7 +311,7 @@ static inline key_serial_t missing_add_key(const char *type, const char *descrip
+ }
+ 
+ static inline key_serial_t missing_request_key(const char *type, const char *description, const char * callout_info, key_serial_t destringid) {
+-#  ifdef __NR_request_key
+#  if defined __NR_request_key && __NR_request_key > 0
+         return syscall(__NR_request_key, type, description, callout_info, destringid);
+ #  else
+         errno = ENOSYS;
+@@ -496,7 +496,7 @@ enum {
+ static inline long missing_set_mempolicy(int mode, const unsigned long *nodemask,
+                            unsigned long maxnode) {
+         long i;
+-#  ifdef __NR_set_mempolicy
+#  if defined __NR_set_mempolicy && __NR_set_mempolicy > 0
+         i = syscall(__NR_set_mempolicy, mode, nodemask, maxnode);
+ #  else
+         errno = ENOSYS;
+diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c
+index 018c20f..c669204 100644
+--- a/src/test/test-seccomp.c
+++ b/src/test/test-seccomp.c
+@@ -28,7 +28,8 @@
+ #include "tmpfile-util.h"
+ #include "virt.h"
+ 
+-#if SCMP_SYS(socket) < 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__)
+/* __NR_socket may be invalid due to libseccomp */
+#if !defined(__NR_socket) || __NR_socket <= 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__)
+ /* On these archs, socket() is implemented via the socketcall() syscall multiplexer,
+  * and we can't restrict it hence via seccomp. */
+ #  define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 1
+@@ -304,14 +305,14 @@ static void test_protect_sysctl(void) {
+         assert_se(pid >= 0);
+ 
+         if (pid == 0) {
+-#if __NR__sysctl > 0
+#if defined __NR__sysctl && __NR__sysctl > 0
+                 assert_se(syscall(__NR__sysctl, NULL) < 0);
+                 assert_se(errno == EFAULT);
+ #endif
+ 
+                 assert_se(seccomp_protect_sysctl() >= 0);
+ 
+-#if __NR__sysctl > 0
+#if defined __NR__sysctl && __NR__sysctl > 0
+                 assert_se(syscall(__NR__sysctl, 0, 0, 0) < 0);
+                 assert_se(errno == EPERM);
+ #endif
+@@ -640,7 +641,7 @@ static void test_load_syscall_filter_set_raw(void) {
+                 assert_se(poll(NULL, 0, 0) == 0);
+ 
+                 assert_se(s = hashmap_new(NULL));
+-#if SCMP_SYS(access) >= 0
+#if defined __NR_access && __NR_access > 0
+                 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(-1)) >= 0);
+ #else
+                 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(-1)) >= 0);
+@@ -656,7 +657,7 @@ static void test_load_syscall_filter_set_raw(void) {
+                 s = hashmap_free(s);
+ 
+                 assert_se(s = hashmap_new(NULL));
+-#if SCMP_SYS(access) >= 0
+#if defined __NR_access && __NR_access > 0
+                 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(EILSEQ)) >= 0);
+ #else
+                 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(EILSEQ)) >= 0);
+@@ -672,7 +673,7 @@ static void test_load_syscall_filter_set_raw(void) {
+                 s = hashmap_free(s);
+ 
+                 assert_se(s = hashmap_new(NULL));
+-#if SCMP_SYS(poll) >= 0
+#if defined __NR_poll && __NR_poll > 0
+                 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(-1)) >= 0);
+ #else
+                 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(-1)) >= 0);
+@@ -689,7 +690,7 @@ static void test_load_syscall_filter_set_raw(void) {
+                 s = hashmap_free(s);
+ 
+                 assert_se(s = hashmap_new(NULL));
+-#if SCMP_SYS(poll) >= 0
+#if defined __NR_poll && __NR_poll > 0
+                 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(EILSEQ)) >= 0);
+ #else
+                 assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(EILSEQ)) >= 0);
+@@ -767,8 +768,8 @@ static int real_open(const char *path, int flags, mode_t mode) {
+          * testing purposes that calls the real syscall, on architectures where SYS_open is defined. On
+          * other architectures, let's just fall back to the glibc call. */
+ 
+-#ifdef SYS_open
+-        return (int) syscall(SYS_open, path, flags, mode);
+#if defined __NR_open && __NR_open > 0
+        return (int) syscall(__NR_open, path, flags, mode);
+ #else
+         return open(path, flags, mode);
+ #endif
+-- 
+2.7.4
diff --git a/meta/recipes-core/systemd/systemd_243.2.bb b/meta/recipes-core/systemd/systemd_243.2.bb
index 5ea9bf2a83..e31fac8c56 100644
--- a/meta/recipes-core/systemd/systemd_243.2.bb
+++ b/meta/recipes-core/systemd/systemd_243.2.bb
@@ -23,6 +23,7 @@ SRC_URI += "file://touchscreen.rules \
           file://0004-rules-whitelist-hd-devices.patch \
           file://0005-rules-watch-metadata-changes-in-ide-devices.patch \
           file://0001-unit-file.c-consider-symlink-on-filesystems-like-NFS.patch \
+           file://0001-seccomp-more-comprehensive-protection-against-libsec.patch \
           file://99-default.preset \
           "

diff --git a/meta/recipes-core/systemd/systemd/0001-seccomp-more-comprehensive-protection-against-libsec.patch b/meta/recipes-core/systemd/systemd/0001-seccomp-more-comprehensive-protection-against-libsec.patch new file mode 100644 index 0000000000..f359d2879b --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0001-seccomp-more-comprehensive-protection-against-libsec.patch
@@ -0,0 +1,152 @@
		1	From 4df8fe8415eaf4abd5b93c3447452547c6ea9e5f Mon Sep 17 00:00:00 2001
		2	From: Lennart Poettering <lennart@poettering.net>
		3	Date: Thu, 14 Nov 2019 17:51:30 +0100
		4	Subject: [PATCH] seccomp: more comprehensive protection against libseccomp's
		5	__NR_xyz namespace invasion
		6
		7	A follow-up for 59b657296a2fe104f112b91bbf9301724067cc81, adding the
		8	same conditioning for all cases of our __NR_xyz use.
		9
		10	Fixes: #14031
		11
		12	Reference:
		13	https://github.com/systemd/systemd/pull/14032/commits/62f66fdbcc33580467c01b1f149474b6c973df5a
		14
		15	Upstream-Status: Backport
		16
		17	Signed-off-by: Ming Liu <liu.ming50@gmail.com>
		18	---
		19	src/basic/missing_syscall.h \| 10 +++++-----
		20	src/test/test-seccomp.c \| 19 ++++++++++---------
		21	2 files changed, 15 insertions(+), 14 deletions(-)
		22
		23	diff --git a/src/basic/missing_syscall.h b/src/basic/missing_syscall.h
		24	index 6d9b125..1255d8b 100644
		25	--- a/src/basic/missing_syscall.h
		26	+++ b/src/basic/missing_syscall.h
		27	@@ -274,7 +274,7 @@ static inline int missing_renameat2(int oldfd, const char *oldname, int newfd, c
		28
		29	#if !HAVE_KCMP
		30	static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long idx1, unsigned long idx2) {
		31	-# ifdef __NR_kcmp
		32	+# if defined __NR_kcmp && __NR_kcmp > 0
		33	return syscall(__NR_kcmp, pid1, pid2, type, idx1, idx2);
		34	# else
		35	errno = ENOSYS;
		36	@@ -289,7 +289,7 @@ static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long i
		37
		38	#if !HAVE_KEYCTL
		39	static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5) {
		40	-# ifdef __NR_keyctl
		41	+# if defined __NR_keyctl && __NR_keyctl > 0
		42	return syscall(__NR_keyctl, cmd, arg2, arg3, arg4, arg5);
		43	# else
		44	errno = ENOSYS;
		45	@@ -300,7 +300,7 @@ static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg
		46	}
		47
		48	static inline key_serial_t missing_add_key(const char type, const char description, const void *payload, size_t plen, key_serial_t ringid) {
		49	-# ifdef __NR_add_key
		50	+# if defined __NR_add_key && __NR_add_key > 0
		51	return syscall(__NR_add_key, type, description, payload, plen, ringid);
		52	# else
		53	errno = ENOSYS;
		54	@@ -311,7 +311,7 @@ static inline key_serial_t missing_add_key(const char type, const char descrip
		55	}
		56
		57	static inline key_serial_t missing_request_key(const char type, const char description, const char * callout_info, key_serial_t destringid) {
		58	-# ifdef __NR_request_key
		59	+# if defined __NR_request_key && __NR_request_key > 0
		60	return syscall(__NR_request_key, type, description, callout_info, destringid);
		61	# else
		62	errno = ENOSYS;
		63	@@ -496,7 +496,7 @@ enum {
		64	static inline long missing_set_mempolicy(int mode, const unsigned long *nodemask,
		65	unsigned long maxnode) {
		66	long i;
		67	-# ifdef __NR_set_mempolicy
		68	+# if defined __NR_set_mempolicy && __NR_set_mempolicy > 0
		69	i = syscall(__NR_set_mempolicy, mode, nodemask, maxnode);
		70	# else
		71	errno = ENOSYS;
		72	diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c
		73	index 018c20f..c669204 100644
		74	--- a/src/test/test-seccomp.c
		75	+++ b/src/test/test-seccomp.c
		76	@@ -28,7 +28,8 @@
		77	#include "tmpfile-util.h"
		78	#include "virt.h"
		79
		80	-#if SCMP_SYS(socket) < 0 \|\| defined(__i386__) \|\| defined(__s390x__) \|\| defined(__s390__)
		81	+/* __NR_socket may be invalid due to libseccomp */
		82	+#if !defined(__NR_socket) \|\| __NR_socket <= 0 \|\| defined(__i386__) \|\| defined(__s390x__) \|\| defined(__s390__)
		83	/* On these archs, socket() is implemented via the socketcall() syscall multiplexer,
		84	* and we can't restrict it hence via seccomp. */
		85	# define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 1
		86	@@ -304,14 +305,14 @@ static void test_protect_sysctl(void) {
		87	assert_se(pid >= 0);
		88
		89	if (pid == 0) {
		90	-#if __NR__sysctl > 0
		91	+#if defined __NR__sysctl && __NR__sysctl > 0
		92	assert_se(syscall(__NR__sysctl, NULL) < 0);
		93	assert_se(errno == EFAULT);
		94	#endif
		95
		96	assert_se(seccomp_protect_sysctl() >= 0);
		97
		98	-#if __NR__sysctl > 0
		99	+#if defined __NR__sysctl && __NR__sysctl > 0
		100	assert_se(syscall(__NR__sysctl, 0, 0, 0) < 0);
		101	assert_se(errno == EPERM);
		102	#endif
		103	@@ -640,7 +641,7 @@ static void test_load_syscall_filter_set_raw(void) {
		104	assert_se(poll(NULL, 0, 0) == 0);
		105
		106	assert_se(s = hashmap_new(NULL));
		107	-#if SCMP_SYS(access) >= 0
		108	+#if defined __NR_access && __NR_access > 0
		109	assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(-1)) >= 0);
		110	#else
		111	assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(-1)) >= 0);
		112	@@ -656,7 +657,7 @@ static void test_load_syscall_filter_set_raw(void) {
		113	s = hashmap_free(s);
		114
		115	assert_se(s = hashmap_new(NULL));
		116	-#if SCMP_SYS(access) >= 0
		117	+#if defined __NR_access && __NR_access > 0
		118	assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(EILSEQ)) >= 0);
		119	#else
		120	assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(EILSEQ)) >= 0);
		121	@@ -672,7 +673,7 @@ static void test_load_syscall_filter_set_raw(void) {
		122	s = hashmap_free(s);
		123
		124	assert_se(s = hashmap_new(NULL));
		125	-#if SCMP_SYS(poll) >= 0
		126	+#if defined __NR_poll && __NR_poll > 0
		127	assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(-1)) >= 0);
		128	#else
		129	assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(-1)) >= 0);
		130	@@ -689,7 +690,7 @@ static void test_load_syscall_filter_set_raw(void) {
		131	s = hashmap_free(s);
		132
		133	assert_se(s = hashmap_new(NULL));
		134	-#if SCMP_SYS(poll) >= 0
		135	+#if defined __NR_poll && __NR_poll > 0
		136	assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(EILSEQ)) >= 0);
		137	#else
		138	assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(EILSEQ)) >= 0);
		139	@@ -767,8 +768,8 @@ static int real_open(const char *path, int flags, mode_t mode) {
		140	* testing purposes that calls the real syscall, on architectures where SYS_open is defined. On
		141	* other architectures, let's just fall back to the glibc call. */
		142
		143	-#ifdef SYS_open
		144	- return (int) syscall(SYS_open, path, flags, mode);
		145	+#if defined __NR_open && __NR_open > 0
		146	+ return (int) syscall(__NR_open, path, flags, mode);
		147	#else
		148	return open(path, flags, mode);
		149	#endif
		150	--
		151	2.7.4
		152


diff --git a/meta/recipes-core/systemd/systemd_243.2.bb b/meta/recipes-core/systemd/systemd_243.2.bb index 5ea9bf2a83..e31fac8c56 100644 --- a/meta/recipes-core/systemd/systemd_243.2.bb +++ b/meta/recipes-core/systemd/systemd_243.2.bb
@@ -23,6 +23,7 @@ SRC_URI += "file://touchscreen.rules \
23	file://0004-rules-whitelist-hd-devices.patch \	23	file://0004-rules-whitelist-hd-devices.patch \
24	file://0005-rules-watch-metadata-changes-in-ide-devices.patch \	24	file://0005-rules-watch-metadata-changes-in-ide-devices.patch \
25	file://0001-unit-file.c-consider-symlink-on-filesystems-like-NFS.patch \	25	file://0001-unit-file.c-consider-symlink-on-filesystems-like-NFS.patch \
		26	file://0001-seccomp-more-comprehensive-protection-against-libsec.patch \
26	file://99-default.preset \	27	file://99-default.preset \
27	"	28	"
28		29