[PATCH 1/4] data: Add systemd-tmpfiles configuration to create

Backport of the following upstream patch:
From 6226cdc57052f4b7057d92f2e549aa169e35cd2d Mon Sep 17 00:00:00 2001

private tmp dir
Backport of the following upstream patch:
From 6226cdc57052f4b7057d92f2e549aa169e35cd2d Mon Sep 17 00:00:00 2001
From: Alex Murray <alex.murray@canonical.com>
Date: Thu, 20 Oct 2022 10:28:42 +1030
Subject: [PATCH 1/4] data: Add systemd-tmpfiles configuration to create
 private tmp dir

Use systemd-tmpfiles to create the private tmp mount namespace root
dir (/tmp/snap-private-tmp) on boot as owned by root with restrictive
permissions. We can use this as a known location to then create per-snap
private tmp mount namespace dirs (/tmp/snap-private-tmp/snap.$SNAP_INSTANCE)
etc.

Signed-off-by: Alex Murray <alex.murray@canonical.com>
Gbp-Pq: Topic cve20223328
Gbp-Pq: Name 0016-cve-2022-3328-1.patch

diff --git a/data/Makefile b/data/Makefile
index 98467126fa5ff3630637ca0de5ecc04846964121..8a1733080534ddab8b851a306ff77cbbacbbdca9 100644 (file)
--- a/data/Makefile
+++ b/data/Makefile
@@ -1,6 +1,7 @@
 all install clean:
        $(MAKE) -C systemd $@
        $(MAKE) -C systemd-env $@
+       $(MAKE) -C systemd-tmpfiles $@
        $(MAKE) -C dbus $@
        $(MAKE) -C env $@
        $(MAKE) -C desktop $@

diff --git a/data/systemd-tmpfiles/Makefile b/data/systemd-tmpfiles/Makefile
new file mode 100644 (file)
index 0000000..f572ee8
--- /dev/null
+++ b/data/systemd-tmpfiles/Makefile
@@ -0,0 +1,31 @@
+#
+# Copyright (C) 2022 Canonical Ltd
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 3 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+LIBEXECDIR := /usr/lib
+TMPFILESDIR := $(LIBEXECDIR)/tmpfiles.d
+
+TMPFILES_CONF = $(wildcard *.conf)
+
+.PHONY: all
+all: $(TMPFILES_CONF)
+
+.PHONY: install
+install: $(TMPFILES_CONF)
+       install -d -m 0755 $(DESTDIR)/$(TMPFILESDIR)
+       install -m 0644 -t $(DESTDIR)/$(TMPFILESDIR) $^
+
+.PHONY: clean
+clean:
+       echo "Nothing to see here."

diff --git a/data/systemd-tmpfiles/snapd.conf b/data/systemd-tmpfiles/snapd.conf
new file mode 100644 (file)
index 0000000..03c9bb0
--- /dev/null
+++ b/data/systemd-tmpfiles/snapd.conf
@@ -0,0 +1 @@
+D! /tmp/snap-private-tmp 0700 root root -

diff --git a/packaging/fedora/snapd.spec b/packaging/fedora/snapd.spec
index 076cc8a0905d147f0a1cf4850b2f30ebd90a9ad5..cebb4a522bc324796382416f706d275890b5b8fc 100644 (file)
--- a/packaging/fedora/snapd.spec
+++ b/packaging/fedora/snapd.spec
@@ -82,6 +82,7 @@
 %{?!_environmentdir: %global _environmentdir %{_prefix}/lib/environment.d}
 %{!?_systemdgeneratordir: %global _systemdgeneratordir %{_prefix}/lib/systemd/system-generators}
 %{?!_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators}
+%{!?_tmpfilesdir: %global _tmpfilesdir %{_prefix}/lib/tmpfiles.d}
 
 # Fedora selinux-policy includes 'map' permission on a 'file' class. However,
 # neither Amazon Linux 2 nor CentOS 7 have had the policy updated. According to
@@ -545,6 +546,7 @@ install -d -p %{buildroot}%{_localstatedir}/snap
 install -d -p %{buildroot}%{_localstatedir}/cache/snapd
 install -d -p %{buildroot}%{_datadir}/polkit-1/actions
 install -d -p %{buildroot}%{_systemd_system_env_generator_dir}
+install -d -p %{buildroot}%{_tmpfilesdir}
 %if 0%{?with_selinux}
 install -d -p %{buildroot}%{_datadir}/selinux/devel/include/contrib
 install -d -p %{buildroot}%{_datadir}/selinux/packages
@@ -713,6 +715,7 @@ popd
 %{_datadir}/polkit-1/actions/io.snapcraft.snapd.policy
 %{_sysconfdir}/xdg/autostart/snap-userd-autostart.desktop
 %{_systemd_system_env_generator_dir}/snapd-env-generator
+%{_tmpfilesdir}/snapd.conf
 %config(noreplace) %{_sysconfdir}/sysconfig/snapd
 %dir %{_sharedstatedir}/snapd
 %dir %{_sharedstatedir}/snapd/assertions

diff --git a/packaging/opensuse/snapd.spec b/packaging/opensuse/snapd.spec
index d771e9828fb95b381cdd1de33389234960dcd92a..415dd769a9a90574c7a9bf0b2de635078e602c5e 100644 (file)
--- a/packaging/opensuse/snapd.spec
+++ b/packaging/opensuse/snapd.spec
@@ -34,6 +34,7 @@
 %{?!_systemdusergeneratordir: %global _systemdusergeneratordir %{_prefix}/lib/systemd/user-generators}
 %{?!_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators}
 %{?!_systemd_user_env_generator_dir: %global _systemd_user_env_generator_dir %{_prefix}/lib/systemd/user-environment-generators}
+%{!?_tmpfilesdir: %global _tmpfilesdir %{_prefix}/lib/tmpfiles.d}
 
 # This is fixed in SUSE Linux 15
 # Cf. https://build.opensuse.org/package/rdiff/Base:System/rpm?linkrev=base&rev=396
@@ -377,6 +378,7 @@ fi
 %dir %{_localstatedir}/cache/snapd
 %dir %{_environmentdir}
 %dir %{_systemd_system_env_generator_dir}
+%dir %{_tmpfilesdir}
 %dir %{_systemdgeneratordir}
 %dir %{_datadir}/dbus-1
 %dir %{_datadir}/dbus-1/services
@@ -417,6 +419,7 @@ fi
 %{_libexecdir}/snapd/complete.sh
 %{_libexecdir}/snapd/etelpmoc.sh
 %{_systemdgeneratordir}/snapd-generator
+%{_tmpfilesdir}/snapd.conf
 %{_mandir}/man8/snap.8*
 %{_datadir}/applications/snap-handle-link.desktop
 %{_datadir}/dbus-1/services/io.snapcraft.Launcher.service