[PATCH 1/4] data: Add systemd-tmpfiles configuration to create

Backport of the following upstream patch:
From 6226cdc57052f4b7057d92f2e549aa169e35cd2d Mon Sep 17 00:00:00 2001

private tmp dir
Backport of the following upstream patch:
From 6226cdc57052f4b7057d92f2e549aa169e35cd2d Mon Sep 17 00:00:00 2001
From: Alex Murray <alex.murray@canonical.com>
Date: Thu, 20 Oct 2022 10:28:42 +1030
Subject: [PATCH 1/4] data: Add systemd-tmpfiles configuration to create
 private tmp dir

Use systemd-tmpfiles to create the private tmp mount namespace root
dir (/tmp/snap-private-tmp) on boot as owned by root with restrictive
permissions. We can use this as a known location to then create per-snap
private tmp mount namespace dirs (/tmp/snap-private-tmp/snap.$SNAP_INSTANCE)
etc.

Signed-off-by: Alex Murray <alex.murray@canonical.com>
Gbp-Pq: Name 0017-cve-2022-3328-1.patch

diff --git a/data/Makefile b/data/Makefile
index df23561cf809f95e0354f2670de706a9a9d39997..6b49c563f10fa80915c1c9b5a615053d4401efad 100644 (file)
--- a/data/Makefile
+++ b/data/Makefile
@@ -2,6 +2,7 @@ all install clean:
        $(MAKE) -C systemd $@
        $(MAKE) -C systemd-user $@
        $(MAKE) -C systemd-env $@
+       $(MAKE) -C systemd-tmpfiles $@
        $(MAKE) -C dbus $@
        $(MAKE) -C env $@
        $(MAKE) -C desktop $@

diff --git a/data/systemd-tmpfiles/Makefile b/data/systemd-tmpfiles/Makefile
new file mode 100644 (file)
index 0000000..f572ee8
--- /dev/null
+++ b/data/systemd-tmpfiles/Makefile
@@ -0,0 +1,31 @@
+#
+# Copyright (C) 2022 Canonical Ltd
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 3 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+LIBEXECDIR := /usr/lib
+TMPFILESDIR := $(LIBEXECDIR)/tmpfiles.d
+
+TMPFILES_CONF = $(wildcard *.conf)
+
+.PHONY: all
+all: $(TMPFILES_CONF)
+
+.PHONY: install
+install: $(TMPFILES_CONF)
+       install -d -m 0755 $(DESTDIR)/$(TMPFILESDIR)
+       install -m 0644 -t $(DESTDIR)/$(TMPFILESDIR) $^
+
+.PHONY: clean
+clean:
+       echo "Nothing to see here."

diff --git a/data/systemd-tmpfiles/snapd.conf b/data/systemd-tmpfiles/snapd.conf
new file mode 100644 (file)
index 0000000..03c9bb0
--- /dev/null
+++ b/data/systemd-tmpfiles/snapd.conf
@@ -0,0 +1 @@
+D! /tmp/snap-private-tmp 0700 root root -

diff --git a/packaging/fedora/snapd.spec b/packaging/fedora/snapd.spec
index 5be2711e7bb16ba3d078f82c6fb87734e81f3498..021e30bd122fee574fd4f1737aaa293c2518695b 100644 (file)
--- a/packaging/fedora/snapd.spec
+++ b/packaging/fedora/snapd.spec
@@ -86,6 +86,7 @@
 %{!?_environmentdir: %global _environmentdir %{_prefix}/lib/environment.d}
 %{!?_systemdgeneratordir: %global _systemdgeneratordir %{_prefix}/lib/systemd/system-generators}
 %{!?_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators}
+%{!?_tmpfilesdir: %global _tmpfilesdir %{_prefix}/lib/tmpfiles.d}
 
 # Fedora selinux-policy includes 'map' permission on a 'file' class. However,
 # Amazon Linux 2 does not have the updated policy containing the fix for
@@ -582,6 +583,7 @@ install -d -p %{buildroot}%{_mandir}/man8
 install -d -p %{buildroot}%{_environmentdir}
 install -d -p %{buildroot}%{_systemdgeneratordir}
 install -d -p %{buildroot}%{_systemd_system_env_generator_dir}
+install -d -p %{buildroot}%{_tmpfilesdir}
 install -d -p %{buildroot}%{_unitdir}
 install -d -p %{buildroot}%{_userunitdir}
 install -d -p %{buildroot}%{_sysconfdir}/profile.d
@@ -780,6 +782,7 @@ popd
 %{_sysconfdir}/profile.d/snapd.sh
 %{_mandir}/man8/snapd-env-generator.8*
 %{_systemd_system_env_generator_dir}/snapd-env-generator
+%{_tmpfilesdir}/snapd.conf
 %{_unitdir}/snapd.socket
 %{_unitdir}/snapd.service
 %{_unitdir}/snapd.autoimport.service

diff --git a/packaging/opensuse/snapd.spec b/packaging/opensuse/snapd.spec
index 6b60cf34a8583e9f01369bc2a8ddf0a3233629c7..f7290eb71c0bfdc4f2676441b3bed324f0a426be 100644 (file)
--- a/packaging/opensuse/snapd.spec
+++ b/packaging/opensuse/snapd.spec
@@ -49,6 +49,7 @@
 %{?!_systemdusergeneratordir: %global _systemdusergeneratordir %{_prefix}/lib/systemd/user-generators}
 %{?!_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators}
 %{?!_systemd_user_env_generator_dir: %global _systemd_user_env_generator_dir %{_prefix}/lib/systemd/user-environment-generators}
+%{!?_tmpfilesdir: %global _tmpfilesdir %{_prefix}/lib/tmpfiles.d}
 
 # This is fixed in SUSE Linux 15
 # Cf. https://build.opensuse.org/package/rdiff/Base:System/rpm?linkrev=base&rev=396
@@ -389,6 +390,7 @@ fi
 %dir %{_sharedstatedir}/snapd/sequence
 %dir %{_sharedstatedir}/snapd/snaps
 %dir %{_systemd_system_env_generator_dir}
+%dir %{_tmpfilesdir}
 %dir %{_systemdgeneratordir}
 %dir %{_userunitdir}
 %dir %{snap_mount_dir}
@@ -443,6 +445,7 @@ fi
 %{_sysconfdir}/xdg/autostart/snap-userd-autostart.desktop
 %{_systemd_system_env_generator_dir}/snapd-env-generator
 %{_systemdgeneratordir}/snapd-generator
+%{_tmpfilesdir}/snapd.conf
 %{_unitdir}/snapd.failure.service
 %{_unitdir}/snapd.seeded.service
 %{_unitdir}/snapd.service