From: Alex Murray <alex.murray@canonical.com>
Date: Wed, 19 Oct 2022 23:58:42 +0000 (+1030)
Subject: [PATCH 1/4] data: Add systemd-tmpfiles configuration to create
X-Git-Tag: archive/raspbian/2.37.4-1+rpi1+deb10u2^2~2
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=7a50a9177539adf2ca8393f491878fcd34228fad;p=snapd.git

[PATCH 1/4] data: Add systemd-tmpfiles configuration to create

Backport of the following upstream patch:
From 6226cdc57052f4b7057d92f2e549aa169e35cd2d Mon Sep 17 00:00:00 2001

private tmp dir
Backport of the following upstream patch:
From 6226cdc57052f4b7057d92f2e549aa169e35cd2d Mon Sep 17 00:00:00 2001
From: Alex Murray <alex.murray@canonical.com>
Date: Thu, 20 Oct 2022 10:28:42 +1030
Subject: [PATCH 1/4] data: Add systemd-tmpfiles configuration to create
 private tmp dir

Use systemd-tmpfiles to create the private tmp mount namespace root
dir (/tmp/snap-private-tmp) on boot as owned by root with restrictive
permissions. We can use this as a known location to then create per-snap
private tmp mount namespace dirs (/tmp/snap-private-tmp/snap.$SNAP_INSTANCE)
etc.

Signed-off-by: Alex Murray <alex.murray@canonical.com>

Gbp-Pq: Topic cve20223328
Gbp-Pq: Name 0016-cve-2022-3328-1.patch
---

diff --git a/data/Makefile b/data/Makefile
index 98467126..8a173308 100644
--- a/data/Makefile
+++ b/data/Makefile
@@ -1,6 +1,7 @@
 all install clean:
 	$(MAKE) -C systemd $@
 	$(MAKE) -C systemd-env $@
+	$(MAKE) -C systemd-tmpfiles $@
 	$(MAKE) -C dbus $@
 	$(MAKE) -C env $@
 	$(MAKE) -C desktop $@
diff --git a/data/systemd-tmpfiles/Makefile b/data/systemd-tmpfiles/Makefile
new file mode 100644
index 00000000..f572ee8a
--- /dev/null
+++ b/data/systemd-tmpfiles/Makefile
@@ -0,0 +1,31 @@
+#
+# Copyright (C) 2022 Canonical Ltd
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 3 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+LIBEXECDIR := /usr/lib
+TMPFILESDIR := $(LIBEXECDIR)/tmpfiles.d
+
+TMPFILES_CONF = $(wildcard *.conf)
+
+.PHONY: all
+all: $(TMPFILES_CONF)
+
+.PHONY: install
+install: $(TMPFILES_CONF)
+	install -d -m 0755 $(DESTDIR)/$(TMPFILESDIR)
+	install -m 0644 -t $(DESTDIR)/$(TMPFILESDIR) $^
+
+.PHONY: clean
+clean:
+	echo "Nothing to see here."
diff --git a/data/systemd-tmpfiles/snapd.conf b/data/systemd-tmpfiles/snapd.conf
new file mode 100644
index 00000000..03c9bb07
--- /dev/null
+++ b/data/systemd-tmpfiles/snapd.conf
@@ -0,0 +1 @@
+D! /tmp/snap-private-tmp 0700 root root -
diff --git a/packaging/fedora/snapd.spec b/packaging/fedora/snapd.spec
index 076cc8a0..cebb4a52 100644
--- a/packaging/fedora/snapd.spec
+++ b/packaging/fedora/snapd.spec
@@ -82,6 +82,7 @@
 %{?!_environmentdir: %global _environmentdir %{_prefix}/lib/environment.d}
 %{!?_systemdgeneratordir: %global _systemdgeneratordir %{_prefix}/lib/systemd/system-generators}
 %{?!_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators}
+%{!?_tmpfilesdir: %global _tmpfilesdir %{_prefix}/lib/tmpfiles.d}
 
 # Fedora selinux-policy includes 'map' permission on a 'file' class. However,
 # neither Amazon Linux 2 nor CentOS 7 have had the policy updated. According to
@@ -545,6 +546,7 @@ install -d -p %{buildroot}%{_localstatedir}/snap
 install -d -p %{buildroot}%{_localstatedir}/cache/snapd
 install -d -p %{buildroot}%{_datadir}/polkit-1/actions
 install -d -p %{buildroot}%{_systemd_system_env_generator_dir}
+install -d -p %{buildroot}%{_tmpfilesdir}
 %if 0%{?with_selinux}
 install -d -p %{buildroot}%{_datadir}/selinux/devel/include/contrib
 install -d -p %{buildroot}%{_datadir}/selinux/packages
@@ -713,6 +715,7 @@ popd
 %{_datadir}/polkit-1/actions/io.snapcraft.snapd.policy
 %{_sysconfdir}/xdg/autostart/snap-userd-autostart.desktop
 %{_systemd_system_env_generator_dir}/snapd-env-generator
+%{_tmpfilesdir}/snapd.conf
 %config(noreplace) %{_sysconfdir}/sysconfig/snapd
 %dir %{_sharedstatedir}/snapd
 %dir %{_sharedstatedir}/snapd/assertions
diff --git a/packaging/opensuse/snapd.spec b/packaging/opensuse/snapd.spec
index d771e982..415dd769 100644
--- a/packaging/opensuse/snapd.spec
+++ b/packaging/opensuse/snapd.spec
@@ -34,6 +34,7 @@
 %{?!_systemdusergeneratordir: %global _systemdusergeneratordir %{_prefix}/lib/systemd/user-generators}
 %{?!_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators}
 %{?!_systemd_user_env_generator_dir: %global _systemd_user_env_generator_dir %{_prefix}/lib/systemd/user-environment-generators}
+%{!?_tmpfilesdir: %global _tmpfilesdir %{_prefix}/lib/tmpfiles.d}
 
 # This is fixed in SUSE Linux 15
 # Cf. https://build.opensuse.org/package/rdiff/Base:System/rpm?linkrev=base&rev=396
@@ -377,6 +378,7 @@ fi
 %dir %{_localstatedir}/cache/snapd
 %dir %{_environmentdir}
 %dir %{_systemd_system_env_generator_dir}
+%dir %{_tmpfilesdir}
 %dir %{_systemdgeneratordir}
 %dir %{_datadir}/dbus-1
 %dir %{_datadir}/dbus-1/services
@@ -417,6 +419,7 @@ fi
 %{_libexecdir}/snapd/complete.sh
 %{_libexecdir}/snapd/etelpmoc.sh
 %{_systemdgeneratordir}/snapd-generator
+%{_tmpfilesdir}/snapd.conf
 %{_mandir}/man8/snap.8*
 %{_datadir}/applications/snap-handle-link.desktop
 %{_datadir}/dbus-1/services/io.snapcraft.Launcher.service