[PATCH] nspawn: apply BindUser/Ephemeral from settings file only if trusted

Originally reported on yeswehack.com as:
YWH-PGM9780-116

Follow-up for 2f8930449079403b26c9164b8eeac78d5af2c8df
Follow-up for a2f577fca0be79b23f61f033229b64884e7d840a

(cherry picked from commit 61bceb1bff4b1f9c126b18dc971ca3e6d8c71c40)
(cherry picked from commit 718711ed876c870a72149eea279b819cdab14e91)
(cherry picked from commit e4db9c12957d315c0ed22c6ca87a816d0927d6dc)

Origin: backport, https://github.com/systemd/systemd/commit/773fd3b6e72e6c83cbb1cfc1cb20f3793db8649a

Gbp-Pq: Name CVE-2026-40226-1.patch

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 7515380fcdab61941db51e146624ec991e5d6b77..16a39f8e9ebbe3c31dee273e229b0195c73ce250 100644 (file)
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -4028,7 +4028,12 @@ static int merge_settings(Settings *settings, const char *path) {
         }
 
         if ((arg_settings_mask & SETTING_EPHEMERAL) == 0)
-                arg_ephemeral = settings->ephemeral;
+        {
+                if (!arg_settings_trusted)
+                        log_warning("Ignoring ephemeral setting, file %s is not trusted.", path);
+                else
+                        arg_ephemeral = settings->ephemeral;
+        }
 
         if ((arg_settings_mask & SETTING_DIRECTORY) == 0 &&
             settings->root) {