From 323c8e410b1c77cfcb1b01a3235bb079ad2b7a76 Mon Sep 17 00:00:00 2001 From: Alex Murray Date: Thu, 20 Oct 2022 10:28:42 +1030 Subject: [PATCH] [PATCH 1/4] data: Add systemd-tmpfiles configuration to create Backport of the following upstream patch: From 6226cdc57052f4b7057d92f2e549aa169e35cd2d Mon Sep 17 00:00:00 2001 private tmp dir Backport of the following upstream patch: From 6226cdc57052f4b7057d92f2e549aa169e35cd2d Mon Sep 17 00:00:00 2001 From: Alex Murray Date: Thu, 20 Oct 2022 10:28:42 +1030 Subject: [PATCH 1/4] data: Add systemd-tmpfiles configuration to create private tmp dir Use systemd-tmpfiles to create the private tmp mount namespace root dir (/tmp/snap-private-tmp) on boot as owned by root with restrictive permissions. We can use this as a known location to then create per-snap private tmp mount namespace dirs (/tmp/snap-private-tmp/snap.$SNAP_INSTANCE) etc. Signed-off-by: Alex Murray Gbp-Pq: Name 0017-cve-2022-3328-1.patch --- data/Makefile | 1 + data/systemd-tmpfiles/Makefile | 31 +++++++++++++++++++++++++++++++ data/systemd-tmpfiles/snapd.conf | 1 + packaging/fedora/snapd.spec | 3 +++ packaging/opensuse/snapd.spec | 3 +++ 5 files changed, 39 insertions(+) create mode 100644 data/systemd-tmpfiles/Makefile create mode 100644 data/systemd-tmpfiles/snapd.conf diff --git a/data/Makefile b/data/Makefile index df23561c..6b49c563 100644 --- a/data/Makefile +++ b/data/Makefile @@ -2,6 +2,7 @@ all install clean: $(MAKE) -C systemd $@ $(MAKE) -C systemd-user $@ $(MAKE) -C systemd-env $@ + $(MAKE) -C systemd-tmpfiles $@ $(MAKE) -C dbus $@ $(MAKE) -C env $@ $(MAKE) -C desktop $@ diff --git a/data/systemd-tmpfiles/Makefile b/data/systemd-tmpfiles/Makefile new file mode 100644 index 00000000..f572ee8a --- /dev/null +++ b/data/systemd-tmpfiles/Makefile @@ -0,0 +1,31 @@ +# +# Copyright (C) 2022 Canonical Ltd +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 3 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +LIBEXECDIR := /usr/lib +TMPFILESDIR := $(LIBEXECDIR)/tmpfiles.d + +TMPFILES_CONF = $(wildcard *.conf) + +.PHONY: all +all: $(TMPFILES_CONF) + +.PHONY: install +install: $(TMPFILES_CONF) + install -d -m 0755 $(DESTDIR)/$(TMPFILESDIR) + install -m 0644 -t $(DESTDIR)/$(TMPFILESDIR) $^ + +.PHONY: clean +clean: + echo "Nothing to see here." diff --git a/data/systemd-tmpfiles/snapd.conf b/data/systemd-tmpfiles/snapd.conf new file mode 100644 index 00000000..03c9bb07 --- /dev/null +++ b/data/systemd-tmpfiles/snapd.conf @@ -0,0 +1 @@ +D! /tmp/snap-private-tmp 0700 root root - diff --git a/packaging/fedora/snapd.spec b/packaging/fedora/snapd.spec index 5be2711e..021e30bd 100644 --- a/packaging/fedora/snapd.spec +++ b/packaging/fedora/snapd.spec @@ -86,6 +86,7 @@ %{!?_environmentdir: %global _environmentdir %{_prefix}/lib/environment.d} %{!?_systemdgeneratordir: %global _systemdgeneratordir %{_prefix}/lib/systemd/system-generators} %{!?_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators} +%{!?_tmpfilesdir: %global _tmpfilesdir %{_prefix}/lib/tmpfiles.d} # Fedora selinux-policy includes 'map' permission on a 'file' class. However, # Amazon Linux 2 does not have the updated policy containing the fix for @@ -582,6 +583,7 @@ install -d -p %{buildroot}%{_mandir}/man8 install -d -p %{buildroot}%{_environmentdir} install -d -p %{buildroot}%{_systemdgeneratordir} install -d -p %{buildroot}%{_systemd_system_env_generator_dir} +install -d -p %{buildroot}%{_tmpfilesdir} install -d -p %{buildroot}%{_unitdir} install -d -p %{buildroot}%{_userunitdir} install -d -p %{buildroot}%{_sysconfdir}/profile.d @@ -780,6 +782,7 @@ popd %{_sysconfdir}/profile.d/snapd.sh %{_mandir}/man8/snapd-env-generator.8* %{_systemd_system_env_generator_dir}/snapd-env-generator +%{_tmpfilesdir}/snapd.conf %{_unitdir}/snapd.socket %{_unitdir}/snapd.service %{_unitdir}/snapd.autoimport.service diff --git a/packaging/opensuse/snapd.spec b/packaging/opensuse/snapd.spec index 6b60cf34..f7290eb7 100644 --- a/packaging/opensuse/snapd.spec +++ b/packaging/opensuse/snapd.spec @@ -49,6 +49,7 @@ %{?!_systemdusergeneratordir: %global _systemdusergeneratordir %{_prefix}/lib/systemd/user-generators} %{?!_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators} %{?!_systemd_user_env_generator_dir: %global _systemd_user_env_generator_dir %{_prefix}/lib/systemd/user-environment-generators} +%{!?_tmpfilesdir: %global _tmpfilesdir %{_prefix}/lib/tmpfiles.d} # This is fixed in SUSE Linux 15 # Cf. https://build.opensuse.org/package/rdiff/Base:System/rpm?linkrev=base&rev=396 @@ -389,6 +390,7 @@ fi %dir %{_sharedstatedir}/snapd/sequence %dir %{_sharedstatedir}/snapd/snaps %dir %{_systemd_system_env_generator_dir} +%dir %{_tmpfilesdir} %dir %{_systemdgeneratordir} %dir %{_userunitdir} %dir %{snap_mount_dir} @@ -443,6 +445,7 @@ fi %{_sysconfdir}/xdg/autostart/snap-userd-autostart.desktop %{_systemd_system_env_generator_dir}/snapd-env-generator %{_systemdgeneratordir}/snapd-generator +%{_tmpfilesdir}/snapd.conf %{_unitdir}/snapd.failure.service %{_unitdir}/snapd.seeded.service %{_unitdir}/snapd.service -- 2.30.2