From c9d170cd932b40196edb5840958cc8765523cea2 Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Wed, 24 Jul 2024 03:42:17 +0300 Subject: [PATCH] import systemd-252-32.el9_4.6 --- .gitignore | 1 + .systemd.metadata | 1 + ...7-execute-Pass-AT_FDCWD-instead-of-1.patch | 36 ++ ...e-stacktraces-also-for-processes-run.patch | 530 ++++++++++++++++++ ...couple-of-tests-for-systemd-coredump.patch | 194 +++++++ ...d-the-subshell-expression-prematurel.patch | 54 ++ ...p-filter-fix-stack-overflow-with-all.patch | 63 +++ ...add-mask-for-all-using-UINT32_MAX-no.patch | 59 ++ ...-add-coverage-for-CoredumpFilter-all.patch | 26 + ...ate-journal-before-storing-coredumps.patch | 52 ++ ...th-the-fake-binary-before-killing-it.patch | 77 +++ ...ump-handling-in-containers-namespace.patch | 112 ++++ ...e-test-happy-with-the-latest-OpenSSL.patch | 42 ++ ...ernel-install-fix-uki-copy-deinstall.patch | 44 ++ ...t-assert-when-unsealing-token-withou.patch | 75 +++ ...-the-existence-of-salt-by-salt_size-.patch | 29 + ...1-bootspec-fix-null-dereference-read.patch | 38 ++ SPECS/systemd.spec | 66 ++- 18 files changed, 1498 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0717-execute-Pass-AT_FDCWD-instead-of-1.patch create mode 100644 SOURCES/0718-coredump-generate-stacktraces-also-for-processes-run.patch create mode 100644 SOURCES/0719-test-add-a-couple-of-tests-for-systemd-coredump.patch create mode 100644 SOURCES/0720-test-don-t-expand-the-subshell-expression-prematurel.patch create mode 100644 SOURCES/0721-coredump-filter-fix-stack-overflow-with-all.patch create mode 100644 SOURCES/0722-coredump-filter-add-mask-for-all-using-UINT32_MAX-no.patch create mode 100644 SOURCES/0723-test-add-coverage-for-CoredumpFilter-all.patch create mode 100644 SOURCES/0724-test-rotate-journal-before-storing-coredumps.patch create mode 100644 SOURCES/0725-test-sync-with-the-fake-binary-before-killing-it.patch create mode 100644 SOURCES/0726-test-check-coredump-handling-in-containers-namespace.patch create mode 100644 SOURCES/0727-ukify-make-the-test-happy-with-the-latest-OpenSSL.patch create mode 100644 SOURCES/0728-kernel-install-fix-uki-copy-deinstall.patch create mode 100644 SOURCES/0729-cryptsetup-do-not-assert-when-unsealing-token-withou.patch create mode 100644 SOURCES/0730-cryptsetup-check-the-existence-of-salt-by-salt_size-.patch create mode 100644 SOURCES/0731-bootspec-fix-null-dereference-read.patch diff --git a/.gitignore b/.gitignore index 50cdc17..bff641a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ SOURCES/rhel-net-naming-sysattrs-v0.5.tar.gz SOURCES/systemd-252.tar.gz +SOURCES/systemd-container-coredump.pp.bz2 diff --git a/.systemd.metadata b/.systemd.metadata index 1e483ad..2824411 100644 --- a/.systemd.metadata +++ b/.systemd.metadata @@ -1,2 +1,3 @@ 9ce6834429dbb9cb049de1bdf77bc8c84763709c SOURCES/rhel-net-naming-sysattrs-v0.5.tar.gz 7c961dc6e8bb950825b85129f59dc80f4536cabb SOURCES/systemd-252.tar.gz +36eac49c362dc6e142f23b570a9a6b75f7547250 SOURCES/systemd-container-coredump.pp.bz2 diff --git a/SOURCES/0717-execute-Pass-AT_FDCWD-instead-of-1.patch b/SOURCES/0717-execute-Pass-AT_FDCWD-instead-of-1.patch new file mode 100644 index 0000000..f5e94b4 --- /dev/null +++ b/SOURCES/0717-execute-Pass-AT_FDCWD-instead-of-1.patch @@ -0,0 +1,36 @@ +From 8e8f4d63f77fb9436d1e4caa2a4670dc3cf74657 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Tue, 13 Dec 2022 10:50:01 +0000 +Subject: [PATCH] execute: Pass AT_FDCWD instead of -1 + +Let's enforce that callers pass AT_FDCWD as read_dfd to load_credential() +to avoid an assert() in read_full_file_full() if read_dfd is -1. + +(cherry picked from commit 661e4251a5b157d1aee1df98fbd2f0c95285ebba) + +Resolves: RHEL-32259 +--- + src/core/execute.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/core/execute.c b/src/core/execute.c +index ea36254241..13222ddea3 100644 +--- a/src/core/execute.c ++++ b/src/core/execute.c +@@ -2662,6 +2662,7 @@ static int load_credential( + assert(id); + assert(path); + assert(unit); ++ assert(read_dfd >= 0 || read_dfd == AT_FDCWD); + assert(write_dfd >= 0); + assert(left); + +@@ -2888,7 +2889,7 @@ static int acquire_credentials( + lc->path, + lc->encrypted, + unit, +- -1, ++ AT_FDCWD, + dfd, + uid, + ownership_ok, diff --git a/SOURCES/0718-coredump-generate-stacktraces-also-for-processes-run.patch b/SOURCES/0718-coredump-generate-stacktraces-also-for-processes-run.patch new file mode 100644 index 0000000..f0d6805 --- /dev/null +++ b/SOURCES/0718-coredump-generate-stacktraces-also-for-processes-run.patch @@ -0,0 +1,530 @@ +From 65989e9f8f66ef3d6a81d38b913616ce722bab2b Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Mon, 18 Mar 2024 13:01:40 +0100 +Subject: [PATCH] coredump: generate stacktraces also for processes running in + containers w/o coredump forwarding + +Note that entering container namespace has to be explicitly enabled by +setting SYSTEMD_COREDUMP_ALLOW_NAMESPACE_CHANGE environment variable. + +RHEL-only + +Resolves: RHEL-34061 +--- + src/analyze/analyze-inspect-elf.c | 2 +- + src/basic/socket-util.c | 52 +++++++++++ + src/basic/socket-util.h | 15 ++++ + src/coredump/coredump.c | 143 +++++++++++++++++++----------- + src/shared/elf-util.c | 46 +++++++++- + src/shared/elf-util.h | 4 +- + 6 files changed, 202 insertions(+), 60 deletions(-) + +diff --git a/src/analyze/analyze-inspect-elf.c b/src/analyze/analyze-inspect-elf.c +index 155c611c71..b8074100a5 100644 +--- a/src/analyze/analyze-inspect-elf.c ++++ b/src/analyze/analyze-inspect-elf.c +@@ -30,7 +30,7 @@ static int analyze_elf(char **filenames, JsonFormatFlags json_flags) { + if (fd < 0) + return log_error_errno(fd, "Could not open \"%s\": %m", abspath); + +- r = parse_elf_object(fd, abspath, /* fork_disable_dump= */false, NULL, &package_metadata); ++ r = parse_elf_object(fd, -EBADF, UID_NOBODY, GID_NOBODY, abspath, /* fork_disable_dump= */false, NULL, &package_metadata); + if (r < 0) + return log_error_errno(r, "Parsing \"%s\" as ELF object failed: %m", abspath); + +diff --git a/src/basic/socket-util.c b/src/basic/socket-util.c +index f39be19a59..1d86ca3f55 100644 +--- a/src/basic/socket-util.c ++++ b/src/basic/socket-util.c +@@ -41,6 +41,11 @@ + # define IDN_FLAGS 0 + #endif + ++/* From the kernel's include/net/scm.h */ ++#ifndef SCM_MAX_FD ++# define SCM_MAX_FD 253 ++#endif ++ + static const char* const socket_address_type_table[] = { + [SOCK_STREAM] = "Stream", + [SOCK_DGRAM] = "Datagram", +@@ -951,6 +956,53 @@ int getpeergroups(int fd, gid_t **ret) { + return (int) n; + } + ++ssize_t send_many_fds_iov_sa( ++ int transport_fd, ++ int *fds_array, size_t n_fds_array, ++ const struct iovec *iov, size_t iovlen, ++ const struct sockaddr *sa, socklen_t len, ++ int flags) { ++ ++ _cleanup_free_ struct cmsghdr *cmsg = NULL; ++ struct msghdr mh = { ++ .msg_name = (struct sockaddr*) sa, ++ .msg_namelen = len, ++ .msg_iov = (struct iovec *)iov, ++ .msg_iovlen = iovlen, ++ }; ++ ssize_t k; ++ ++ assert(transport_fd >= 0); ++ assert(fds_array || n_fds_array == 0); ++ ++ /* The kernel will reject sending more than SCM_MAX_FD FDs at once */ ++ if (n_fds_array > SCM_MAX_FD) ++ return -E2BIG; ++ ++ /* We need either an FD array or data to send. If there's nothing, return an error. */ ++ if (n_fds_array == 0 && !iov) ++ return -EINVAL; ++ ++ if (n_fds_array > 0) { ++ mh.msg_controllen = CMSG_SPACE(sizeof(int) * n_fds_array); ++ mh.msg_control = cmsg = malloc(mh.msg_controllen); ++ if (!cmsg) ++ return -ENOMEM; ++ ++ *cmsg = (struct cmsghdr) { ++ .cmsg_len = CMSG_LEN(sizeof(int) * n_fds_array), ++ .cmsg_level = SOL_SOCKET, ++ .cmsg_type = SCM_RIGHTS, ++ }; ++ memcpy(CMSG_DATA(cmsg), fds_array, sizeof(int) * n_fds_array); ++ } ++ k = sendmsg(transport_fd, &mh, MSG_NOSIGNAL | flags); ++ if (k < 0) ++ return (ssize_t) -errno; ++ ++ return k; ++} ++ + ssize_t send_one_fd_iov_sa( + int transport_fd, + int fd, +diff --git a/src/basic/socket-util.h b/src/basic/socket-util.h +index 2e36e1a56b..61bf8ff32b 100644 +--- a/src/basic/socket-util.h ++++ b/src/basic/socket-util.h +@@ -153,6 +153,13 @@ int getpeercred(int fd, struct ucred *ucred); + int getpeersec(int fd, char **ret); + int getpeergroups(int fd, gid_t **ret); + ++ssize_t send_many_fds_iov_sa( ++ int transport_fd, ++ int *fds_array, size_t n_fds_array, ++ const struct iovec *iov, size_t iovlen, ++ const struct sockaddr *sa, socklen_t len, ++ int flags); ++ + ssize_t send_one_fd_iov_sa( + int transport_fd, + int fd, +@@ -163,6 +170,14 @@ int send_one_fd_sa(int transport_fd, + int fd, + const struct sockaddr *sa, socklen_t len, + int flags); ++static inline int send_many_fds( ++ int transport_fd, ++ int *fds_array, ++ size_t n_fds_array, ++ int flags) { ++ ++ return send_many_fds_iov_sa(transport_fd, fds_array, n_fds_array, NULL, 0, NULL, 0, flags); ++} + #define send_one_fd_iov(transport_fd, fd, iov, iovlen, flags) send_one_fd_iov_sa(transport_fd, fd, iov, iovlen, NULL, 0, flags) + #define send_one_fd(transport_fd, fd, flags) send_one_fd_iov_sa(transport_fd, fd, NULL, 0, NULL, 0, flags) + ssize_t receive_one_fd_iov(int transport_fd, struct iovec *iov, size_t iovlen, int flags, int *ret_fd); +diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c +index b9c5f3ad04..dca78fa72c 100644 +--- a/src/coredump/coredump.c ++++ b/src/coredump/coredump.c +@@ -24,6 +24,7 @@ + #include "coredump-vacuum.h" + #include "dirent-util.h" + #include "elf-util.h" ++#include "env-util.h" + #include "escape.h" + #include "fd-util.h" + #include "fileio.h" +@@ -36,6 +37,7 @@ + #include "main-func.h" + #include "memory-util.h" + #include "mkdir-label.h" ++#include "namespace-util.h" + #include "parse-util.h" + #include "process-util.h" + #include "signal-util.h" +@@ -130,6 +132,8 @@ typedef struct Context { + const char *meta[_META_MAX]; + size_t meta_size[_META_MAX]; + pid_t pid; ++ uid_t uid; ++ gid_t gid; + bool is_pid1; + bool is_journald; + } Context; +@@ -866,36 +870,11 @@ static int get_process_container_parent_cmdline(pid_t pid, char** cmdline) { + return 1; + } + +-static int change_uid_gid(const Context *context) { +- uid_t uid; +- gid_t gid; +- int r; +- +- r = parse_uid(context->meta[META_ARGV_UID], &uid); +- if (r < 0) +- return r; +- +- if (uid_is_system(uid)) { +- const char *user = "systemd-coredump"; +- +- r = get_user_creds(&user, &uid, &gid, NULL, NULL, 0); +- if (r < 0) { +- log_warning_errno(r, "Cannot resolve %s user. Proceeding to dump core as root: %m", user); +- uid = gid = 0; +- } +- } else { +- r = parse_gid(context->meta[META_ARGV_GID], &gid); +- if (r < 0) +- return r; +- } +- +- return drop_privileges(uid, gid, 0); +-} +- + static int submit_coredump( + const Context *context, + struct iovec_wrapper *iovw, +- int input_fd) { ++ int input_fd, ++ int mntns_fd) { + + _cleanup_(json_variant_unrefp) JsonVariant *json_metadata = NULL; + _cleanup_close_ int coredump_fd = -1, coredump_node_fd = -1; +@@ -938,15 +917,6 @@ static int submit_coredump( + /* Vacuum again, but exclude the coredump we just created */ + (void) coredump_vacuum(coredump_node_fd >= 0 ? coredump_node_fd : coredump_fd, arg_keep_free, arg_max_use); + +- /* Now, let's drop privileges to become the user who owns the segfaulted process +- * and allocate the coredump memory under the user's uid. This also ensures that +- * the credentials journald will see are the ones of the coredumping user, thus +- * making sure the user gets access to the core dump. Let's also get rid of all +- * capabilities, if we run as root, we won't need them anymore. */ +- r = change_uid_gid(context); +- if (r < 0) +- return log_error_errno(r, "Failed to drop privileges: %m"); +- + /* Try to get a stack trace if we can */ + if (coredump_size > arg_process_size_max) + log_debug("Not generating stack trace: core size %"PRIu64" is greater " +@@ -956,12 +926,23 @@ static int submit_coredump( + bool skip = startswith(context->meta[META_COMM], "systemd-coredum"); /* COMM is 16 bytes usually */ + + (void) parse_elf_object(coredump_fd, ++ mntns_fd, ++ context->uid, ++ context->gid, + context->meta[META_EXE], + /* fork_disable_dump= */ skip, /* avoid loops */ + &stacktrace, + &json_metadata); + } + ++ /* Now, let's drop privileges to become the user who owns the segfaulted process. This also ensures ++ * that the credentials journald will see are the ones of the coredumping user, thus making sure ++ * the user gets access to the core dump. Let's also get rid of all capabilities, if we run as root, ++ * we won't need them anymore. */ ++ r = drop_privileges(context->uid, context->gid, 0); ++ if (r < 0) ++ return log_error_errno(r, "Failed to drop privileges: %m"); ++ + log: + core_message = strjoina("Process ", context->meta[META_ARGV_PID], + " (", context->meta[META_COMM], ") of user ", +@@ -1094,6 +1075,15 @@ static int save_context(Context *context, const struct iovec_wrapper *iovw) { + if (r < 0) + return log_error_errno(r, "Failed to parse PID \"%s\": %m", context->meta[META_ARGV_PID]); + ++ r = parse_uid(context->meta[META_ARGV_UID], &context->uid); ++ if (r < 0) ++ return log_error_errno(r, "Failed to parse UID \"%s\": %m", context->meta[META_ARGV_UID]); ++ ++ r = parse_gid(context->meta[META_ARGV_GID], &context->gid); ++ if (r < 0) ++ return log_error_errno(r, "Failed to parse GID \"%s\": %m", context->meta[META_ARGV_GID]); ++ ++ + unit = context->meta[META_UNIT]; + context->is_pid1 = streq(context->meta[META_ARGV_PID], "1") || streq_ptr(unit, SPECIAL_INIT_SCOPE); + context->is_journald = streq_ptr(unit, SPECIAL_JOURNALD_SERVICE); +@@ -1102,11 +1092,11 @@ static int save_context(Context *context, const struct iovec_wrapper *iovw) { + } + + static int process_socket(int fd) { +- _cleanup_close_ int input_fd = -1; ++ _cleanup_close_ int input_fd = -EBADF, mntns_fd = -EBADF; + Context context = {}; + struct iovec_wrapper iovw = {}; + struct iovec iovec; +- int r; ++ int iterations = 0, r; + + assert(fd >= 0); + +@@ -1146,23 +1136,39 @@ static int process_socket(int fd) { + goto finish; + } + +- /* The final zero-length datagram carries the file descriptor and tells us ++ /* The final zero-length datagram carries the file descriptors and tells us + * that we're done. */ + if (n == 0) { + struct cmsghdr *found; + + free(iovec.iov_base); + +- found = cmsg_find(&mh, SOL_SOCKET, SCM_RIGHTS, CMSG_LEN(sizeof(int))); +- if (!found) { +- cmsg_close_all(&mh); +- r = log_error_errno(SYNTHETIC_ERRNO(EBADMSG), +- "Coredump file descriptor missing."); +- goto finish; ++ found = cmsg_find(&mh, SOL_SOCKET, SCM_RIGHTS, CMSG_LEN(sizeof(int) * 2)); ++ if (found) { ++ int fds[2] = { -EBADF, -EBADF }; ++ ++ memcpy(fds, CMSG_DATA(found), sizeof(int) * 2); ++ ++ assert(mntns_fd < 0); ++ ++ /* Maybe we already got coredump FD in previous iteration? */ ++ safe_close(input_fd); ++ ++ input_fd = fds[0]; ++ mntns_fd = fds[1]; ++ ++ /* We have all FDs we need let's take a shortcut here. */ ++ break; ++ } else { ++ found = cmsg_find(&mh, SOL_SOCKET, SCM_RIGHTS, CMSG_LEN(sizeof(int))); ++ if (found) ++ input_fd = *CMSG_DATA(found); + } + +- assert(input_fd < 0); +- input_fd = *(int*) CMSG_DATA(found); ++ /* This is the first message that carries file descriptors, maybe there will be one more that actually contains array of descriptors. */ ++ if (iterations++ == 0) ++ continue; ++ + break; + } else + cmsg_close_all(&mh); +@@ -1177,7 +1183,11 @@ static int process_socket(int fd) { + } + + /* Make sure we got all data we really need */ +- assert(input_fd >= 0); ++ if (input_fd < 0) { ++ r = log_error_errno(SYNTHETIC_ERRNO(EBADMSG), ++ "Coredump file descriptor missing."); ++ goto finish; ++ } + + r = save_context(&context, &iovw); + if (r < 0) +@@ -1192,15 +1202,15 @@ static int process_socket(int fd) { + goto finish; + } + +- r = submit_coredump(&context, &iovw, input_fd); ++ r = submit_coredump(&context, &iovw, input_fd, mntns_fd); + + finish: + iovw_free_contents(&iovw, true); + return r; + } + +-static int send_iovec(const struct iovec_wrapper *iovw, int input_fd) { +- _cleanup_close_ int fd = -1; ++static int send_iovec(const struct iovec_wrapper *iovw, int input_fd, int mntns_fd) { ++ _cleanup_close_ int fd = -EBADF; + int r; + + assert(iovw); +@@ -1256,6 +1266,12 @@ static int send_iovec(const struct iovec_wrapper *iovw, int input_fd) { + if (r < 0) + return log_error_errno(r, "Failed to send coredump fd: %m"); + ++ if (mntns_fd >= 0) { ++ r = send_many_fds(fd, (int[]) { input_fd, mntns_fd }, 2, 0); ++ if (r < 0) ++ return log_error_errno(r, "Failed to send coredump fds: %m"); ++ } ++ + return 0; + } + +@@ -1428,7 +1444,7 @@ static int gather_pid_metadata(struct iovec_wrapper *iovw, Context *context) { + static int process_kernel(int argc, char* argv[]) { + Context context = {}; + struct iovec_wrapper *iovw; +- int r; ++ int r, mntns_fd = -EBADF; + + /* When we're invoked by the kernel, stdout/stderr are closed which is dangerous because the fds + * could get reallocated. To avoid hard to debug issues, let's instead bind stdout/stderr to +@@ -1462,6 +1478,25 @@ static int process_kernel(int argc, char* argv[]) { + log_open(); + } + ++ r = in_same_namespace(getpid_cached(), context.pid, NAMESPACE_PID); ++ if (r < 0) ++ log_debug_errno(r, "Failed to check pidns of crashing process, ignoring: %m"); ++ ++ if (r == 0 && getenv_bool("SYSTEMD_COREDUMP_ALLOW_NAMESPACE_CHANGE") > 0) { ++ r = namespace_open(context.pid, NULL, &mntns_fd, NULL, NULL, NULL); ++ if (r < 0) ++ return log_error_errno(r, "Failed to open mntns of crashing process: %m"); ++ } else { ++ /* Crashing process is not running in the container or changing namespace is disabled, but we ++ still need to send mount namespace fd along side coredump fd so let's just open our own ++ mount namespace. Entering it will be NOP but that is OK. */ ++ r = namespace_open(getpid_cached(), NULL, &mntns_fd, NULL, NULL, NULL); ++ if (r < 0) ++ return log_error_errno(r, "Failed to open our mntns: %m"); ++ } ++ ++ assert(mntns_fd >= 0 && fd_is_ns(mntns_fd, CLONE_NEWNS) > 0); ++ + /* If this is PID 1 disable coredump collection, we'll unlikely be able to process + * it later on. + * +@@ -1474,9 +1509,9 @@ static int process_kernel(int argc, char* argv[]) { + } + + if (context.is_journald || context.is_pid1) +- r = submit_coredump(&context, iovw, STDIN_FILENO); ++ r = submit_coredump(&context, iovw, STDIN_FILENO, mntns_fd); + else +- r = send_iovec(iovw, STDIN_FILENO); ++ r = send_iovec(iovw, STDIN_FILENO, mntns_fd); + + finish: + iovw = iovw_free_free(iovw); +diff --git a/src/shared/elf-util.c b/src/shared/elf-util.c +index bde5013b92..6a2969732d 100644 +--- a/src/shared/elf-util.c ++++ b/src/shared/elf-util.c +@@ -12,6 +12,7 @@ + #include + + #include "alloc-util.h" ++#include "capability-util.h" + #include "dlfcn-util.h" + #include "elf-util.h" + #include "errno-util.h" +@@ -21,9 +22,12 @@ + #include "hexdecoct.h" + #include "io-util.h" + #include "macro.h" ++#include "namespace-util.h" + #include "process-util.h" + #include "rlimit-util.h" + #include "string-util.h" ++#include "uid-alloc-range.h" ++#include "user-util.h" + #include "util.h" + + #define FRAMES_MAX 64 +@@ -752,11 +756,27 @@ static int parse_elf(int fd, const char *executable, char **ret, JsonVariant **r + return 0; + } + +-int parse_elf_object(int fd, const char *executable, bool fork_disable_dump, char **ret, JsonVariant **ret_package_metadata) { ++static int core_change_uid_gid(uid_t uid, gid_t gid) { ++ uid_t u = uid; ++ gid_t g = gid; ++ int r; ++ ++ if (uid_is_system(u)) { ++ const char *user = "systemd-coredump"; ++ ++ r = get_user_creds(&user, &u, &g, NULL, NULL, 0); ++ if (r < 0) ++ log_warning_errno(r, "Cannot resolve %s user, ignoring: %m", user); ++ } ++ ++ return drop_privileges(u, g, 0); ++} ++ ++int parse_elf_object(int fd, int mntns_fd, uid_t uid, gid_t gid, const char *executable, bool fork_disable_dump, char **ret, JsonVariant **ret_package_metadata) { + _cleanup_close_pair_ int error_pipe[2] = { -1, -1 }, return_pipe[2] = { -1, -1 }, json_pipe[2] = { -1, -1 }; + _cleanup_(json_variant_unrefp) JsonVariant *package_metadata = NULL; + _cleanup_free_ char *buf = NULL; +- int r; ++ int flags, r; + + assert(fd >= 0); + +@@ -784,6 +804,10 @@ int parse_elf_object(int fd, const char *executable, bool fork_disable_dump, cha + return r; + } + ++ flags = FORK_RESET_SIGNALS|FORK_CLOSE_ALL_FDS|FORK_NEW_MOUNTNS|FORK_MOUNTNS_SLAVE|FORK_NEW_USERNS|FORK_WAIT|FORK_REOPEN_LOG; ++ if (mntns_fd >= 0) ++ flags &= ~(FORK_CLOSE_ALL_FDS|FORK_NEW_MOUNTNS|FORK_MOUNTNS_SLAVE|FORK_NEW_USERNS); ++ + /* Parsing possibly malformed data is crash-happy, so fork. In case we crash, + * the core file will not be lost, and the messages will still be attached to + * the journal. Reading the elf object might be slow, but it still has an upper +@@ -793,7 +817,7 @@ int parse_elf_object(int fd, const char *executable, bool fork_disable_dump, cha + r = safe_fork_full("(sd-parse-elf)", + (int[]){ fd, error_pipe[1], return_pipe[1], json_pipe[1] }, + 4, +- FORK_RESET_SIGNALS|FORK_CLOSE_ALL_FDS|FORK_NEW_MOUNTNS|FORK_MOUNTNS_SLAVE|FORK_NEW_USERNS|FORK_WAIT|FORK_REOPEN_LOG, ++ flags, + NULL); + if (r < 0) { + if (r == -EPROTO) { /* We should have the errno from the child, but don't clobber original error */ +@@ -811,6 +835,22 @@ int parse_elf_object(int fd, const char *executable, bool fork_disable_dump, cha + return r; + } + if (r == 0) { ++ if (mntns_fd >= 0) { ++ r = namespace_enter(/* pidns_fd = */ -EBADF, ++ mntns_fd, ++ /* netns_fd = */ -EBADF, ++ /* userns_fd = */ -EBADF, ++ /* root_fd = */ -EBADF); ++ if (r < 0) ++ log_notice_errno(r, "Failed to enter mount namespace of crashing process, ignoring: %m"); ++ } ++ ++ if (uid != UID_NOBODY && gid != GID_NOBODY) { ++ r = core_change_uid_gid(uid, gid); ++ if (r < 0) ++ log_notice_errno(r, "Failed to drop privileges, ignoring: %m"); ++ } ++ + /* We want to avoid loops, given this can be called from systemd-coredump */ + if (fork_disable_dump) { + r = RET_NERRNO(prctl(PR_SET_DUMPABLE, 0)); +diff --git a/src/shared/elf-util.h b/src/shared/elf-util.h +index b28e64cea6..350464941f 100644 +--- a/src/shared/elf-util.h ++++ b/src/shared/elf-util.h +@@ -10,9 +10,9 @@ int dlopen_elf(void); + /* Parse an ELF object in a forked process, so that errors while iterating over + * untrusted and potentially malicious data do not propagate to the main caller's process. + * If fork_disable_dump, the child process will not dump core if it crashes. */ +-int parse_elf_object(int fd, const char *executable, bool fork_disable_dump, char **ret, JsonVariant **ret_package_metadata); ++int parse_elf_object(int fd, int mntns_fd, uid_t uid, gid_t gid, const char *executable, bool fork_disable_dump, char **ret, JsonVariant **ret_package_metadata); + #else +-static inline int parse_elf_object(int fd, const char *executable, bool fork_disable_dump, char **ret, JsonVariant **ret_package_metadata) { ++static inline int parse_elf_object(int fd, int mntns_fd, uid_t uid, gid_t gid, const char *executable, bool fork_disable_dump, char **ret, JsonVariant **ret_package_metadata) { + return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "elfutils disabled, parsing ELF objects not supported"); + } + #endif diff --git a/SOURCES/0719-test-add-a-couple-of-tests-for-systemd-coredump.patch b/SOURCES/0719-test-add-a-couple-of-tests-for-systemd-coredump.patch new file mode 100644 index 0000000..e8d8c6c --- /dev/null +++ b/SOURCES/0719-test-add-a-couple-of-tests-for-systemd-coredump.patch @@ -0,0 +1,194 @@ +From ab1212eb3880ef8f9b59c2145efa1f289f02c8c4 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Tue, 21 Mar 2023 23:19:41 +0100 +Subject: [PATCH] test: add a couple of tests for systemd-coredump + +(cherry picked from commit aadbd81f7ffbc313d0541c15455211dddeedbfde) + +Related: RHEL-34061 +--- + test/units/testsuite-74.coredump.sh | 175 ++++++++++++++++++++++++++++ + 1 file changed, 175 insertions(+) + create mode 100755 test/units/testsuite-74.coredump.sh + +diff --git a/test/units/testsuite-74.coredump.sh b/test/units/testsuite-74.coredump.sh +new file mode 100755 +index 0000000000..6a299ecbfb +--- /dev/null ++++ b/test/units/testsuite-74.coredump.sh +@@ -0,0 +1,175 @@ ++#!/usr/bin/env bash ++# SPDX-License-Identifier: LGPL-2.1-or-later ++set -eux ++set -o pipefail ++ ++# Make sure the binary name fits into 15 characters ++CORE_TEST_BIN="/tmp/test-dump" ++CORE_TEST_UNPRIV_BIN="/tmp/test-usr-dump" ++MAKE_DUMP_SCRIPT="/tmp/make-dump" ++# Unset $PAGER so we don't have to use --no-pager everywhere ++export PAGER= ++ ++at_exit() { ++ rm -fv -- "$CORE_TEST_BIN" "$CORE_TEST_UNPRIV_BIN" "$MAKE_DUMP_SCRIPT" ++} ++ ++trap at_exit EXIT ++ ++if systemd-detect-virt -cq; then ++ echo "Running in a container, skipping the systemd-coredump test..." ++ exit 0 ++fi ++ ++# Check that we're the ones to receive coredumps ++sysctl kernel.core_pattern | grep systemd-coredump ++ ++# Prepare "fake" binaries for coredumps, so we can properly exercise ++# the matching stuff too ++cp -vf /bin/sleep "${CORE_TEST_BIN:?}" ++cp -vf /bin/sleep "${CORE_TEST_UNPRIV_BIN:?}" ++# Simple script that spawns given "fake" binary and then kills it with ++# given signal ++cat >"${MAKE_DUMP_SCRIPT:?}" <<\EOF ++#!/bin/bash -ex ++ ++bin="${1:?}" ++sig="${2:?}" ++ ++ulimit -c unlimited ++"$bin" infinity & ++pid=$! ++sleep 1 ++kill -s "$sig" "$pid" ++# This should always fail ++! wait "$pid" ++EOF ++chmod +x "$MAKE_DUMP_SCRIPT" ++ ++# Privileged stuff ++[[ "$(id -u)" -eq 0 ]] ++# Trigger a couple of coredumps ++"$MAKE_DUMP_SCRIPT" "$CORE_TEST_BIN" "SIGTRAP" ++"$MAKE_DUMP_SCRIPT" "$CORE_TEST_BIN" "SIGABRT" ++# In the tests we store the coredumps in journals, so let's generate a couple ++# with Storage=external as well ++mkdir -p /run/systemd/coredump.conf.d/ ++printf '[Coredump]\nStorage=external' >/run/systemd/coredump.conf.d/99-external.conf ++"$MAKE_DUMP_SCRIPT" "$CORE_TEST_BIN" "SIGTRAP" ++"$MAKE_DUMP_SCRIPT" "$CORE_TEST_BIN" "SIGABRT" ++rm -fv /run/systemd/coredump.conf.d/99-external.conf ++# Wait a bit for the coredumps to get processed ++timeout 30 bash -c "while [[ $(coredumpctl list -q --no-legend $CORE_TEST_BIN | wc -l) -lt 4 ]]; do sleep 1; done" ++ ++coredumpctl ++SYSTEMD_LOG_LEVEL=debug coredumpctl ++coredumpctl --help ++coredumpctl --version ++coredumpctl --no-pager --no-legend ++coredumpctl --all ++coredumpctl -1 ++coredumpctl -n 1 ++coredumpctl --reverse ++coredumpctl -F COREDUMP_EXE ++coredumpctl --json=short | jq ++coredumpctl --json=pretty | jq ++coredumpctl --json=off ++coredumpctl --root=/ ++coredumpctl --directory=/var/log/journal ++coredumpctl --file="/var/log/journal/$(/tmp/core.redirected ++test -s /tmp/core.redirected ++coredumpctl dump -o /tmp/core.output "${CORE_TEST_BIN##*/}" ++test -s /tmp/core.output ++rm -f /tmp/core.{output,redirected} ++ ++# Unprivileged stuff ++# Related issue: https://github.com/systemd/systemd/issues/26912 ++UNPRIV_CMD=(systemd-run --user --wait --pipe -M "testuser@.host" --) ++# Trigger a couple of coredumps as an unprivileged user ++"${UNPRIV_CMD[@]}" "$MAKE_DUMP_SCRIPT" "$CORE_TEST_UNPRIV_BIN" "SIGTRAP" ++"${UNPRIV_CMD[@]}" "$MAKE_DUMP_SCRIPT" "$CORE_TEST_UNPRIV_BIN" "SIGABRT" ++# In the tests we store the coredumps in journals, so let's generate a couple ++# with Storage=external as well ++mkdir -p /run/systemd/coredump.conf.d/ ++printf '[Coredump]\nStorage=external' >/run/systemd/coredump.conf.d/99-external.conf ++"${UNPRIV_CMD[@]}" "$MAKE_DUMP_SCRIPT" "$CORE_TEST_UNPRIV_BIN" "SIGTRAP" ++"${UNPRIV_CMD[@]}" "$MAKE_DUMP_SCRIPT" "$CORE_TEST_UNPRIV_BIN" "SIGABRT" ++rm -fv /run/systemd/coredump.conf.d/99-external.conf ++# Wait a bit for the coredumps to get processed ++timeout 30 bash -c "while [[ $(coredumpctl list -q --no-legend $CORE_TEST_UNPRIV_BIN | wc -l) -lt 4 ]]; do sleep 1; done" ++ ++# root should see coredumps from both binaries ++coredumpctl info "$CORE_TEST_UNPRIV_BIN" ++coredumpctl info "${CORE_TEST_UNPRIV_BIN##*/}" ++# The test user should see only their own coredumps ++"${UNPRIV_CMD[@]}" coredumpctl ++"${UNPRIV_CMD[@]}" coredumpctl info "$CORE_TEST_UNPRIV_BIN" ++"${UNPRIV_CMD[@]}" coredumpctl info "${CORE_TEST_UNPRIV_BIN##*/}" ++(! "${UNPRIV_CMD[@]}" coredumpctl info --all "$CORE_TEST_BIN") ++(! "${UNPRIV_CMD[@]}" coredumpctl info --all "${CORE_TEST_BIN##*/}") ++# We should have a couple of externally stored coredumps ++"${UNPRIV_CMD[@]}" coredumpctl --field=COREDUMP_FILENAME | tee /tmp/coredumpctl.out ++grep "/var/lib/systemd/coredump/core" /tmp/coredumpctl.out ++rm -f /tmp/coredumpctl.out ++ ++"${UNPRIV_CMD[@]}" coredumpctl debug --debugger=/bin/true "$CORE_TEST_UNPRIV_BIN" ++"${UNPRIV_CMD[@]}" coredumpctl debug --debugger=/bin/true --debugger-arguments="-this --does --not 'do anything' -a -t --all" "${CORE_TEST_UNPRIV_BIN##*/}" ++ ++"${UNPRIV_CMD[@]}" coredumpctl dump "$CORE_TEST_UNPRIV_BIN" >/tmp/core.redirected ++test -s /tmp/core.redirected ++"${UNPRIV_CMD[@]}" coredumpctl dump -o /tmp/core.output "${CORE_TEST_UNPRIV_BIN##*/}" ++test -s /tmp/core.output ++rm -f /tmp/core.{output,redirected} ++(! "${UNPRIV_CMD[@]}" coredumpctl dump "$CORE_TEST_BIN" >/dev/null) ++ ++# --backtrace mode ++# Pass one of the existing journal coredump records to systemd-coredump and ++# use our PID as the source to make matching the coredump later easier ++# systemd-coredump args: PID UID GID SIGNUM TIMESTAMP CORE_SOFT_RLIMIT HOSTNAME ++journalctl -b -n 1 --output=export --output-fields=MESSAGE,COREDUMP COREDUMP_EXE="/usr/bin/test-dump" | ++ /usr/lib/systemd/systemd-coredump --backtrace $$ 0 0 6 1679509994 12345 mymachine ++# Wait a bit for the coredump to get processed ++timeout 30 bash -c "while [[ $(coredumpctl list -q --no-legend $$ | wc -l) -eq 0 ]]; do sleep 1; done" ++coredumpctl info "$$" ++coredumpctl info COREDUMP_HOSTNAME="mymachine" ++ ++ ++(! coredumpctl --hello-world) ++(! coredumpctl -n 0) ++(! coredumpctl -n -1) ++(! coredumpctl --file=/dev/null) ++(! coredumpctl --since=0) ++(! coredumpctl --until='') ++(! coredumpctl --since=today --until=yesterday) ++(! coredumpctl --directory=/ --root=/) ++(! coredumpctl --json=foo) ++(! coredumpctl -F foo -F bar) ++(! coredumpctl list 0) ++(! coredumpctl list -- -1) ++(! coredumpctl list '') ++(! coredumpctl info /../.~=) ++(! coredumpctl info '') ++(! coredumpctl dump --output=/dev/full "$CORE_TEST_BIN") ++(! coredumpctl dump --output=/dev/null --output=/dev/null "$CORE_TEST_BIN") ++(! coredumpctl debug --debugger=/bin/false) ++(! coredumpctl debug --debugger=/bin/true --debugger-arguments='"') diff --git a/SOURCES/0720-test-don-t-expand-the-subshell-expression-prematurel.patch b/SOURCES/0720-test-don-t-expand-the-subshell-expression-prematurel.patch new file mode 100644 index 0000000..0bb6d18 --- /dev/null +++ b/SOURCES/0720-test-don-t-expand-the-subshell-expression-prematurel.patch @@ -0,0 +1,54 @@ +From 67b33be5be12ea7500d54a78961acbe76126e8ed Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Sat, 25 Mar 2023 12:02:15 +0100 +Subject: [PATCH] test: don't expand the subshell expression prematurely + +We need to expand the subshell expression during the `bash -c` +invocation, not before, to take the desired effect, as now it expands to: + +timeout 30 bash -c 'while [[ 0 -eq 0 ]]; do sleep 1; done' + +instead of the expected: + +timeout 30 bash -c 'while [[ $(coredumpctl list -q --no-legend 770 | wc -l) -eq 0 ]]; do sleep 1; done' + +Follow-up to aadbd81f7f. + +(cherry picked from commit 0b189ac84c432a085a1f10139260cec6b5032523) + +Related: RHEL-34061 +--- + test/units/testsuite-74.coredump.sh | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/test/units/testsuite-74.coredump.sh b/test/units/testsuite-74.coredump.sh +index 6a299ecbfb..3910abe0ec 100755 +--- a/test/units/testsuite-74.coredump.sh ++++ b/test/units/testsuite-74.coredump.sh +@@ -59,7 +59,7 @@ printf '[Coredump]\nStorage=external' >/run/systemd/coredump.conf.d/99-external. + "$MAKE_DUMP_SCRIPT" "$CORE_TEST_BIN" "SIGABRT" + rm -fv /run/systemd/coredump.conf.d/99-external.conf + # Wait a bit for the coredumps to get processed +-timeout 30 bash -c "while [[ $(coredumpctl list -q --no-legend $CORE_TEST_BIN | wc -l) -lt 4 ]]; do sleep 1; done" ++timeout 30 bash -c "while [[ \$(coredumpctl list -q --no-legend $CORE_TEST_BIN | wc -l) -lt 4 ]]; do sleep 1; done" + + coredumpctl + SYSTEMD_LOG_LEVEL=debug coredumpctl +@@ -116,7 +116,7 @@ printf '[Coredump]\nStorage=external' >/run/systemd/coredump.conf.d/99-external. + "${UNPRIV_CMD[@]}" "$MAKE_DUMP_SCRIPT" "$CORE_TEST_UNPRIV_BIN" "SIGABRT" + rm -fv /run/systemd/coredump.conf.d/99-external.conf + # Wait a bit for the coredumps to get processed +-timeout 30 bash -c "while [[ $(coredumpctl list -q --no-legend $CORE_TEST_UNPRIV_BIN | wc -l) -lt 4 ]]; do sleep 1; done" ++timeout 30 bash -c "while [[ \$(coredumpctl list -q --no-legend $CORE_TEST_UNPRIV_BIN | wc -l) -lt 4 ]]; do sleep 1; done" + + # root should see coredumps from both binaries + coredumpctl info "$CORE_TEST_UNPRIV_BIN" +@@ -149,7 +149,7 @@ rm -f /tmp/core.{output,redirected} + journalctl -b -n 1 --output=export --output-fields=MESSAGE,COREDUMP COREDUMP_EXE="/usr/bin/test-dump" | + /usr/lib/systemd/systemd-coredump --backtrace $$ 0 0 6 1679509994 12345 mymachine + # Wait a bit for the coredump to get processed +-timeout 30 bash -c "while [[ $(coredumpctl list -q --no-legend $$ | wc -l) -eq 0 ]]; do sleep 1; done" ++timeout 30 bash -c "while [[ \$(coredumpctl list -q --no-legend $$ | wc -l) -eq 0 ]]; do sleep 1; done" + coredumpctl info "$$" + coredumpctl info COREDUMP_HOSTNAME="mymachine" + diff --git a/SOURCES/0721-coredump-filter-fix-stack-overflow-with-all.patch b/SOURCES/0721-coredump-filter-fix-stack-overflow-with-all.patch new file mode 100644 index 0000000..8df2e47 --- /dev/null +++ b/SOURCES/0721-coredump-filter-fix-stack-overflow-with-all.patch @@ -0,0 +1,63 @@ +From 8eab546a3468dcb1ed714ec02c927ea2f5141645 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Wed, 26 Apr 2023 14:18:04 +0100 +Subject: [PATCH] coredump filter: fix stack overflow with =all + +We translate 'all' to UNIT64_MAX, which has a lot more 'f's. Use the +helper macro, since a decimal uint64_t will always be >> than a hex +representation. + +root@image:~# systemd-run -t --property CoredumpFilter=all ls /tmp +Running as unit: run-u13.service +Press ^] three times within 1s to disconnect TTY. +*** stack smashing detected ***: terminated +[137256.320511] systemd[1]: run-u13.service: Main process exited, code=dumped, status=6/ABRT +[137256.320850] systemd[1]: run-u13.service: Failed with result 'core-dump'. + +(cherry picked from commit 37232d55a7bcace37280e28b207c85f5ca9b3f6b) + +Related: RHEL-34061 +--- + src/basic/macro.h | 4 ++++ + src/shared/coredump-util.c | 5 +++-- + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/src/basic/macro.h b/src/basic/macro.h +index 2d378454a2..6893a1ff32 100644 +--- a/src/basic/macro.h ++++ b/src/basic/macro.h +@@ -268,6 +268,10 @@ static inline int __coverity_check_and_return__(int condition) { + + #define sizeof_field(struct_type, member) sizeof(((struct_type *) 0)->member) + ++/* Maximum buffer size needed for formatting an unsigned integer type as hex, including space for '0x' ++ * prefix and trailing NUL suffix. */ ++#define HEXADECIMAL_STR_MAX(type) (2 + sizeof(type) * 2 + 1) ++ + /* Returns the number of chars needed to format variables of the specified type as a decimal string. Adds in + * extra space for a negative '-' prefix for signed types. Includes space for the trailing NUL. */ + #define DECIMAL_STR_MAX(type) \ +diff --git a/src/shared/coredump-util.c b/src/shared/coredump-util.c +index a0b648bf79..aaf3e16eff 100644 +--- a/src/shared/coredump-util.c ++++ b/src/shared/coredump-util.c +@@ -3,6 +3,7 @@ + #include "coredump-util.h" + #include "extract-word.h" + #include "fileio.h" ++#include "stdio-util.h" + #include "string-table.h" + + static const char *const coredump_filter_table[_COREDUMP_FILTER_MAX] = { +@@ -65,9 +66,9 @@ int coredump_filter_mask_from_string(const char *s, uint64_t *ret) { + } + + int set_coredump_filter(uint64_t value) { +- char t[STRLEN("0xFFFFFFFF")]; ++ char t[HEXADECIMAL_STR_MAX(uint64_t)]; + +- sprintf(t, "0x%"PRIx64, value); ++ xsprintf(t, "0x%"PRIx64, value); + + return write_string_file("/proc/self/coredump_filter", t, + WRITE_STRING_FILE_VERIFY_ON_FAILURE|WRITE_STRING_FILE_DISABLE_BUFFER); diff --git a/SOURCES/0722-coredump-filter-add-mask-for-all-using-UINT32_MAX-no.patch b/SOURCES/0722-coredump-filter-add-mask-for-all-using-UINT32_MAX-no.patch new file mode 100644 index 0000000..1238911 --- /dev/null +++ b/SOURCES/0722-coredump-filter-add-mask-for-all-using-UINT32_MAX-no.patch @@ -0,0 +1,59 @@ +From 88d675ef77a4cdebbb7f1367679fc349de487f75 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Wed, 26 Apr 2023 14:19:33 +0100 +Subject: [PATCH] coredump filter: add mask for 'all' using UINT32_MAX, not + UINT64_MAX + +The kernel returns ERANGE when UINT64_MAX is passed. Create a mask +and use UINT32_max, which is accepted, so that future bits will also +be set. + +(cherry picked from commit 7f3bb8f20dcccaceea8b1ee05f0560b81162037b) + +Related: RHEL-34061 +--- + src/shared/coredump-util.c | 2 +- + src/shared/coredump-util.h | 3 +++ + src/test/test-coredump-util.c | 2 ++ + 3 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/shared/coredump-util.c b/src/shared/coredump-util.c +index aaf3e16eff..7a44816834 100644 +--- a/src/shared/coredump-util.c ++++ b/src/shared/coredump-util.c +@@ -43,7 +43,7 @@ int coredump_filter_mask_from_string(const char *s, uint64_t *ret) { + } + + if (streq(n, "all")) { +- m = UINT64_MAX; ++ m = COREDUMP_FILTER_MASK_ALL; + continue; + } + +diff --git a/src/shared/coredump-util.h b/src/shared/coredump-util.h +index 09e7ed443f..f4d4098136 100644 +--- a/src/shared/coredump-util.h ++++ b/src/shared/coredump-util.h +@@ -22,6 +22,9 @@ typedef enum CoredumpFilter { + 1u << COREDUMP_FILTER_ELF_HEADERS | \ + 1u << COREDUMP_FILTER_PRIVATE_HUGE) + ++/* The kernel doesn't like UINT64_MAX and returns ERANGE, use UINT32_MAX to support future new flags */ ++#define COREDUMP_FILTER_MASK_ALL UINT32_MAX ++ + const char* coredump_filter_to_string(CoredumpFilter i) _const_; + CoredumpFilter coredump_filter_from_string(const char *s) _pure_; + int coredump_filter_mask_from_string(const char *s, uint64_t *ret); +diff --git a/src/test/test-coredump-util.c b/src/test/test-coredump-util.c +index 40b68df9f4..87dc371a88 100644 +--- a/src/test/test-coredump-util.c ++++ b/src/test/test-coredump-util.c +@@ -23,6 +23,8 @@ TEST(coredump_filter_mask_from_string) { + uint64_t f; + assert_se(coredump_filter_mask_from_string("default", &f) == 0); + assert_se(f == COREDUMP_FILTER_MASK_DEFAULT); ++ assert_se(coredump_filter_mask_from_string("all", &f) == 0); ++ assert_se(f == COREDUMP_FILTER_MASK_ALL); + + assert_se(coredump_filter_mask_from_string(" default\tdefault\tdefault ", &f) == 0); + assert_se(f == COREDUMP_FILTER_MASK_DEFAULT); diff --git a/SOURCES/0723-test-add-coverage-for-CoredumpFilter-all.patch b/SOURCES/0723-test-add-coverage-for-CoredumpFilter-all.patch new file mode 100644 index 0000000..fc3ae4a --- /dev/null +++ b/SOURCES/0723-test-add-coverage-for-CoredumpFilter-all.patch @@ -0,0 +1,26 @@ +From 2d16eaf0c4151ecb308452375661960eab3ec3c8 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Wed, 26 Apr 2023 14:32:04 +0100 +Subject: [PATCH] test: add coverage for CoredumpFilter=all + +(cherry picked from commit cf636aa59eb8c848ed04d5b08aac0acf3f6683d9) + +Related: RHEL-34061 +--- + test/units/testsuite-74.coredump.sh | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/test/units/testsuite-74.coredump.sh b/test/units/testsuite-74.coredump.sh +index 3910abe0ec..0e5d050f45 100755 +--- a/test/units/testsuite-74.coredump.sh ++++ b/test/units/testsuite-74.coredump.sh +@@ -153,6 +153,9 @@ timeout 30 bash -c "while [[ \$(coredumpctl list -q --no-legend $$ | wc -l) -eq + coredumpctl info "$$" + coredumpctl info COREDUMP_HOSTNAME="mymachine" + ++# This used to cause a stack overflow ++systemd-run -t --property CoredumpFilter=all ls /tmp ++systemd-run -t --property CoredumpFilter=default ls /tmp + + (! coredumpctl --hello-world) + (! coredumpctl -n 0) diff --git a/SOURCES/0724-test-rotate-journal-before-storing-coredumps.patch b/SOURCES/0724-test-rotate-journal-before-storing-coredumps.patch new file mode 100644 index 0000000..da63fb5 --- /dev/null +++ b/SOURCES/0724-test-rotate-journal-before-storing-coredumps.patch @@ -0,0 +1,52 @@ +From 9bac78b7b359e063bfb43a2fb358195c0a6608e8 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 24 May 2023 10:31:41 +0900 +Subject: [PATCH] test: rotate journal before storing coredumps + +Hopefully fixes the failure like +https://jenkins-systemd.apps.ocp.cloud.ci.centos.org/job/upstream-vagrant-archlinux-sanitizers/2558/ +--- +[ 66.708894] testsuite-74.sh[728]: + coredumpctl --json=off +[ 66.709344] testsuite-74.sh[826]: TIME PID UID GID SIG COREFILE EXE SIZE +[ 66.709773] testsuite-74.sh[826]: Tue 2023-05-23 22:10:17 UTC 739 0 0 SIGTRAP journal /tmp/test-dump - +[ 66.711134] testsuite-74.sh[826]: Tue 2023-05-23 22:10:18 UTC 747 0 0 SIGABRT journal /tmp/test-dump - +[ 66.711789] testsuite-74.sh[826]: Tue 2023-05-23 22:10:19 UTC 763 0 0 SIGTRAP present /tmp/test-dump 53.5K +[ 66.712460] testsuite-74.sh[826]: Tue 2023-05-23 22:10:20 UTC 776 0 0 SIGABRT present /tmp/test-dump 53.3K +[ 66.713505] testsuite-74.sh[728]: + coredumpctl --root=/ +[ 66.714144] testsuite-74.sh[828]: TIME PID UID GID SIG COREFILE EXE SIZE +[ 66.714535] testsuite-74.sh[828]: Tue 2023-05-23 22:10:17 UTC 739 0 0 SIGTRAP journal /tmp/test-dump - +[ 66.715208] testsuite-74.sh[828]: Tue 2023-05-23 22:10:18 UTC 747 0 0 SIGABRT journal /tmp/test-dump - +[ 66.715907] testsuite-74.sh[828]: Tue 2023-05-23 22:10:19 UTC 763 0 0 SIGTRAP present /tmp/test-dump 53.5K +[ 66.716565] testsuite-74.sh[828]: Tue 2023-05-23 22:10:20 UTC 776 0 0 SIGABRT present /tmp/test-dump 53.3K +[ 66.717494] testsuite-74.sh[728]: + coredumpctl --directory=/var/log/journal +[ 66.718188] testsuite-74.sh[830]: TIME PID UID GID SIG COREFILE EXE SIZE +[ 66.882072] testsuite-74.sh[830]: Tue 2023-05-23 22:10:17 UTC 739 0 0 SIGTRAP journal /tmp/test-dump - +[ 66.882642] testsuite-74.sh[830]: Tue 2023-05-23 22:10:18 UTC 747 0 0 SIGABRT journal /tmp/test-dump - +[ 66.883450] testsuite-74.sh[830]: Tue 2023-05-23 22:10:19 UTC 763 0 0 SIGTRAP present /tmp/test-dump 53.5K +[ 66.883944] testsuite-74.sh[830]: Tue 2023-05-23 22:10:20 UTC 776 0 0 SIGABRT present /tmp/test-dump 53.3K +[ 66.885448] testsuite-74.sh[728]: + coredumpctl --file=/var/log/journal/2e1ed84be19a4e22adfc99ad849be1f6/system.journal +[ 66.885989] testsuite-74.sh[728]: + at_exit +[ 66.894162] coredumpctl[833]: No coredumps found. +--- + +(cherry picked from commit 5c4e96c28c4a2193ba0dd459ea3366614f9b262f) + +Related: RHEL-34061 +--- + test/units/testsuite-74.coredump.sh | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/test/units/testsuite-74.coredump.sh b/test/units/testsuite-74.coredump.sh +index 0e5d050f45..d5039b70f4 100755 +--- a/test/units/testsuite-74.coredump.sh ++++ b/test/units/testsuite-74.coredump.sh +@@ -21,6 +21,9 @@ if systemd-detect-virt -cq; then + exit 0 + fi + ++# To make all coredump entries stored in system.journal. ++journalctl --rotate ++ + # Check that we're the ones to receive coredumps + sysctl kernel.core_pattern | grep systemd-coredump + diff --git a/SOURCES/0725-test-sync-with-the-fake-binary-before-killing-it.patch b/SOURCES/0725-test-sync-with-the-fake-binary-before-killing-it.patch new file mode 100644 index 0000000..55c0000 --- /dev/null +++ b/SOURCES/0725-test-sync-with-the-fake-binary-before-killing-it.patch @@ -0,0 +1,77 @@ +From 43c604a8ed7f436c9c123d4e53dc9b3d7192522d Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Fri, 2 Jun 2023 13:24:32 +0200 +Subject: [PATCH] test: sync with the fake binary before killing it +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +On faster machines we might be too fast and kill the fake binary during +fork() which then makes kernel report a "wrong" binary in the coredump, +e.g.: + +[ 31.408078] testsuite-74.sh[548]: + /tmp/make-dump /tmp/test-dump SIGTRAP +[ 31.409720] testsuite-74.sh[560]: + bin=/tmp/test-dump +[ 31.409720] testsuite-74.sh[560]: + sig=SIGTRAP +[ 31.409720] testsuite-74.sh[560]: + ulimit -c unlimited +[ 31.409720] testsuite-74.sh[560]: + pid=561 +[ 31.409720] testsuite-74.sh[560]: + sleep 1 +[ 31.409720] testsuite-74.sh[560]: + kill -s SIGTRAP 561 +[ 31.409720] testsuite-74.sh[560]: + wait 561 +[ 31.491757] systemd[1]: Created slice system-systemd\x2dcoredump.slice. +[ 31.524488] systemd[1]: Started systemd-coredump@0-563-0.service. +[ 31.616372] systemd-coredump[564]: [🡕] Process 561 (make-dump) of user 0 dumped core. + + Stack trace of thread 561: + #0 0x00007ff86bb49af7 _Fork (libc.so.6 + 0xd4af7) + #1 0x00007ff86bb4965f __libc_fork (libc.so.6 + 0xd465f) + #2 0x000055e88011b0ad make_child (bash + 0x550ad) + #3 0x000055e8800fd05f n/a (bash + 0x3705f) + #4 0x000055e880100116 execute_command_internal (bash + 0x3a116) + #5 0x000055e8801011f2 execute_command_internal (bash + 0x3b1f2) + #6 0x000055e8801025b6 execute_command (bash + 0x3c5b6) + #7 0x000055e8800f134b reader_loop (bash + 0x2b34b) + #8 0x000055e8800e757d main (bash + 0x2157d) + #9 0x00007ff86ba98850 n/a (libc.so.6 + 0x23850) + #10 0x00007ff86ba9890a __libc_start_main (libc.so.6 + 0x2390a) + #11 0x000055e8800e83b5 _start (bash + 0x223b5) + ELF object binary architecture: AMD x86-64 +[ 31.666617] testsuite-74.sh[560]: /tmp/make-dump: line 12: 561 Trace/breakpoint trap (core dumped) "$bin" infinity +... +$ coredumpctl list --file system.journal +TIME PID UID GID SIG COREFILE EXE SIZE +Fri 2023-06-02 10:42:10 CEST 561 0 0 SIGTRAP journal /usr/bin/bash - +Fri 2023-06-02 10:42:11 CEST 570 0 0 SIGABRT journal /tmp/test-dump - +Fri 2023-06-02 10:42:12 CEST 582 0 0 SIGTRAP missing /tmp/test-dump - +Fri 2023-06-02 10:42:13 CEST 593 0 0 SIGABRT missing /tmp/test-dump - + +(cherry picked from commit 1326d2dd059132760b40acb7a715ecc9ff08bd35) + +Related: RHEL-34061 +--- + test/units/testsuite-74.coredump.sh | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/test/units/testsuite-74.coredump.sh b/test/units/testsuite-74.coredump.sh +index d5039b70f4..d30fd73717 100755 +--- a/test/units/testsuite-74.coredump.sh ++++ b/test/units/testsuite-74.coredump.sh +@@ -42,7 +42,17 @@ sig="${2:?}" + ulimit -c unlimited + "$bin" infinity & + pid=$! +-sleep 1 ++# Sync with the "fake" binary, so we kill it once it's fully forked off, ++# otherwise we might kill it during fork and kernel would then report ++# "wrong" binary name (i.e. $MAKE_DUMP_SCRIPT instead of $CORE_TEST_BIN). ++# In this case, wait until the "fake" binary (sleep in this case) enters ++# the "interruptible sleep" state, at which point it should be ready ++# to be sacrificed. ++for _ in {0..9}; do ++ read -ra self_stat <"/proc/$pid/stat" ++ [[ "${self_stat[2]}" == S ]] && break ++ sleep .5 ++done + kill -s "$sig" "$pid" + # This should always fail + ! wait "$pid" diff --git a/SOURCES/0726-test-check-coredump-handling-in-containers-namespace.patch b/SOURCES/0726-test-check-coredump-handling-in-containers-namespace.patch new file mode 100644 index 0000000..0feb020 --- /dev/null +++ b/SOURCES/0726-test-check-coredump-handling-in-containers-namespace.patch @@ -0,0 +1,112 @@ +From a8924006c47a680f038d9ff66fd3896ffbc37bc1 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Thu, 25 Apr 2024 19:50:10 +0200 +Subject: [PATCH] test: check coredump handling in containers & namespaces + +This is partially based on upstream's 097e28736a, which tests coredump +forwarding (that we don't have in RHEL 9). It also provides basic +coverage for RHEL-29430 (generating stack traces for processes in +containers without coredump fowarding). + +rhel-only +Related: RHEL-34061 +--- + test/test-functions | 2 +- + test/units/testsuite-74.coredump.sh | 64 ++++++++++++++++++++++++++++- + 2 files changed, 64 insertions(+), 2 deletions(-) + +diff --git a/test/test-functions b/test/test-functions +index 1608644cbb..947f8589c5 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -2619,7 +2619,7 @@ inst_binary() { + # ls, stat - pulls in nss_systemd with certain options (like ls -l) when + # nsswitch.conf uses [SUCCESS=merge] (like on Arch Linux) + # tar - called by machinectl in TEST-25 +- if get_bool "$IS_BUILT_WITH_ASAN" && [[ "$bin" =~ /(chown|getent|login|ls|stat|su|tar|useradd|userdel)$ ]]; then ++ if get_bool "$IS_BUILT_WITH_ASAN" && [[ "$bin" =~ /(chown|getent|login|id|ls|stat|su|tar|useradd|userdel)$ ]]; then + wrap_binary=1 + fi + +diff --git a/test/units/testsuite-74.coredump.sh b/test/units/testsuite-74.coredump.sh +index d30fd73717..1093cad8a9 100755 +--- a/test/units/testsuite-74.coredump.sh ++++ b/test/units/testsuite-74.coredump.sh +@@ -74,6 +74,68 @@ rm -fv /run/systemd/coredump.conf.d/99-external.conf + # Wait a bit for the coredumps to get processed + timeout 30 bash -c "while [[ \$(coredumpctl list -q --no-legend $CORE_TEST_BIN | wc -l) -lt 4 ]]; do sleep 1; done" + ++# RHEL9: following part is taken out of 097e28736aed9280dfac0f8e8096deca71bac813 but slightly tweaked, since ++# in RHEL9 we don't have the support for coredump forwarding ++CONTAINER="testsuite-74-container" ++TESTUSER_UID="$(id -u testuser)" ++TESTUSER_GID="$(id -g testuser)" ++ ++mkdir -p "/var/lib/machines/$CONTAINER" ++mkdir -p "/run/systemd/system/systemd-nspawn@$CONTAINER.service.d" ++# Bind-mounting /etc into the container kinda defeats the purpose of --volatile=, ++# but we need the ASan-related overrides scattered across /etc ++cat > "/run/systemd/system/systemd-nspawn@$CONTAINER.service.d/override.conf" << EOF ++[Service] ++ExecStart= ++ExecStart=systemd-nspawn --quiet --link-journal=try-guest --keep-unit --machine=%i --boot \ ++ --volatile=yes --directory=/ --bind-ro=/etc --inaccessible=/etc/machine-id ++EOF ++systemctl daemon-reload ++ ++machinectl start "$CONTAINER" ++timeout 60 bash -xec "until systemd-run -M '$CONTAINER' -q --wait --pipe true; do sleep .5; done" ++machinectl copy-to "$CONTAINER" "$MAKE_DUMP_SCRIPT" ++ ++run_namespaced_coredump_tests() { ++ local TS ++ ++ # Make a couple of coredumps in a full-fleged container ++ TS="$(date +"%s.%N")" ++ [[ "$(coredumpctl list --since="@$TS" -q --no-legend /usr/bin/sleep | wc -l)" -eq 0 ]] ++ [[ "$(coredumpctl list --since="@$TS" -q --no-legend /usr/bin/sleep _UID="$TESTUSER_UID" | wc -l)" -eq 0 ]] ++ systemd-run -M "testuser@$CONTAINER" --user -q --wait --pipe "$MAKE_DUMP_SCRIPT" "/usr/bin/sleep" "SIGABRT" ++ systemd-run -M "$CONTAINER" -q --wait --pipe "$MAKE_DUMP_SCRIPT" "/usr/bin/sleep" "SIGTRAP" ++ # Wait a bit for the coredumps to get processed ++ timeout 30 bash -c "while [[ \$(coredumpctl list --since=@$TS -q --no-legend /usr/bin/sleep | wc -l) -ne 2 ]]; do sleep 1; done" ++ coredumpctl list ++ [[ "$(coredumpctl list --since="@$TS" -q --no-legend /usr/bin/sleep _UID="$TESTUSER_UID" _GID="$TESTUSER_GID" | wc -l)" -eq 1 ]] ++ ++ # Simplified version of the above - not a full container, just a mount & pid namespace ++ TS="$(date +"%s.%N")" ++ unshare --mount --pid --fork --mount-proc /bin/bash -xec "$MAKE_DUMP_SCRIPT /usr/bin/sleep SIGABRT" ++ timeout 30 bash -c "while [[ \$(coredumpctl list --since=@$TS -q --no-legend /usr/bin/sleep | wc -l) -ne 1 ]]; do sleep 1; done" ++ TS="$(date +"%s.%N")" ++ unshare --setuid="$TESTUSER_UID" --setgid="$TESTUSER_GID" --mount --pid --fork --mount-proc /bin/bash -xec "$MAKE_DUMP_SCRIPT /usr/bin/sleep SIGABRT" ++ timeout 30 bash -c "while [[ \$(coredumpctl list --since=@$TS -q --no-legend /usr/bin/sleep _UID=$TESTUSER_UID _GID=$TESTUSER_GID | wc -l) -ne 1 ]]; do sleep 1; done" ++} ++ ++# First, run the tests with default systemd-coredumpd settings ++run_namespaced_coredump_tests ++ ++# And now with SYSTEMD_COREDUMP_ALLOW_NAMESPACE_CHANGE=1 (RHEL-only) ++cat >/tmp/coredump-handler.sh < +Date: Sat, 23 Dec 2023 12:20:03 +0100 +Subject: [PATCH] ukify: make the test happy with the latest OpenSSL + +Which dropped some whitespaces in the output: + +$ openssl version +OpenSSL 3.2.0 23 Nov 2023 (Library: OpenSSL 3.2.0 23 Nov 2023) +$ openssl x509 -in cert.pem -text -noout | grep Issuer + Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd + +$ openssl version +OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023) +$ openssl x509 -in cert.pem -text -noout | grep Issuer + Issuer: C = XX, L = Default City, O = Default Company Ltd + +Making test-ukify unhappy: + +> assert 'Issuer: CN = SecureBoot signing key on host' in out +E AssertionError: assert 'Issuer: CN = SecureBoot signing key on host' in '<...snip...>Issuer: CN=SecureBoot signing key on host archlinux2\n...' + +(cherry picked from commit 338ed5bea4fcd0b5b1cdcfb96a789edf6251bbdd) + +Resolves: RHEL-34061 +--- + src/ukify/test/test_ukify.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/ukify/test/test_ukify.py b/src/ukify/test/test_ukify.py +index 5a42a94799..31054eabea 100755 +--- a/src/ukify/test/test_ukify.py ++++ b/src/ukify/test/test_ukify.py +@@ -850,7 +850,7 @@ def test_key_cert_generation(tmpdir): + '-noout', + ], text = True) + assert 'Certificate' in out +- assert 'Issuer: CN = SecureBoot signing key on host' in out ++ assert re.search('Issuer: CN\s?=\s?SecureBoot signing key on host', out) + + if __name__ == '__main__': + sys.exit(pytest.main(sys.argv)) diff --git a/SOURCES/0728-kernel-install-fix-uki-copy-deinstall.patch b/SOURCES/0728-kernel-install-fix-uki-copy-deinstall.patch new file mode 100644 index 0000000..e4d211d --- /dev/null +++ b/SOURCES/0728-kernel-install-fix-uki-copy-deinstall.patch @@ -0,0 +1,44 @@ +From ba83f030dc2721a317f31f5b7a5884431349074f Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 18 Mar 2024 17:04:22 +0100 +Subject: [PATCH] kernel-install: fix uki-copy deinstall + +For "kernel-install remove ..." only the kernel version is passed, not +the kernel image. So auto-detecting KERNEL_INSTALL_IMAGE_TYPE and +setting KERNEL_INSTALL_LAYOUT does not work for uninstall. + +The 90-uki-copy.install plugin must consider this and *not* exit early +for the "remove" command, otherwise $BOOT_ROOT will be filled with stale +kernel images. + +Signed-off-by: Gerd Hoffmann + +(cherry picked from commit 3037616d8ed68f3263746e3c6399d4a05242068b) + +Resolves: RHEL-35994 +--- + src/kernel-install/90-uki-copy.install | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/kernel-install/90-uki-copy.install b/src/kernel-install/90-uki-copy.install +index c66c09719c..d443c4b401 100755 +--- a/src/kernel-install/90-uki-copy.install ++++ b/src/kernel-install/90-uki-copy.install +@@ -26,8 +26,6 @@ KERNEL_VERSION="${2:?}" + ENTRY_DIR_ABS="$3" + KERNEL_IMAGE="$4" + +-[ "$KERNEL_INSTALL_LAYOUT" = "uki" ] || exit 0 +- + ENTRY_TOKEN="$KERNEL_INSTALL_ENTRY_TOKEN" + BOOT_ROOT="$KERNEL_INSTALL_BOOT_ROOT" + +@@ -48,6 +46,8 @@ case "$COMMAND" in + ;; + esac + ++[ "$KERNEL_INSTALL_LAYOUT" = "uki" ] || exit 0 ++ + if ! [ -d "$UKI_DIR" ]; then + [ "$KERNEL_INSTALL_VERBOSE" -gt 0 ] && echo "creating $UKI_DIR" + mkdir -p "$UKI_DIR" diff --git a/SOURCES/0729-cryptsetup-do-not-assert-when-unsealing-token-withou.patch b/SOURCES/0729-cryptsetup-do-not-assert-when-unsealing-token-withou.patch new file mode 100644 index 0000000..39a5bd4 --- /dev/null +++ b/SOURCES/0729-cryptsetup-do-not-assert-when-unsealing-token-withou.patch @@ -0,0 +1,75 @@ +From 540f1d6b38dc6f2f72785ba7b44ad3cc65243982 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Wed, 15 Feb 2023 00:44:01 +0000 +Subject: [PATCH] cryptsetup: do not assert when unsealing token without salt + +Salt was added in v253. We are not checking whether it was actually found +(non-zero size), so when an old tpm+pin enrollment is opened things go boom. +For good measure, check both the buffer and the size in both places. + +Assertion 'saltlen > 0' failed at src/shared/tpm2-util.c:2490, function tpm2_util_pbkdf2_hmac_sha256(). Aborting. + +(cherry picked from commit 504d0acf61c8472bc93c2a927e858074873b2eaf) + +Resolves: RHEL-40119 +--- + src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c | 3 ++- + src/cryptsetup/cryptsetup-tpm2.c | 4 +++- + src/shared/tpm2-util.c | 1 + + 3 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c +index 630a2d8d3e..e353e947aa 100644 +--- a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c ++++ b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c +@@ -40,6 +40,7 @@ int acquire_luks2_key( + _cleanup_(erase_and_freep) char *b64_salted_pin = NULL; + int r; + ++ assert(salt || salt_size == 0); + assert(ret_decrypted_key); + assert(ret_decrypted_key_size); + +@@ -60,7 +61,7 @@ int acquire_luks2_key( + if ((flags & TPM2_FLAGS_USE_PIN) && salt && !pin) + return -ENOANO; + +- if (pin) { ++ if (pin && salt_size > 0) { + uint8_t salted_pin[SHA256_DIGEST_SIZE] = {}; + CLEANUP_ERASE(salted_pin); + r = tpm2_util_pbkdf2_hmac_sha256(pin, strlen(pin), salt, salt_size, salted_pin); +diff --git a/src/cryptsetup/cryptsetup-tpm2.c b/src/cryptsetup/cryptsetup-tpm2.c +index c049b8a313..036f3d3a00 100644 +--- a/src/cryptsetup/cryptsetup-tpm2.c ++++ b/src/cryptsetup/cryptsetup-tpm2.c +@@ -88,6 +88,8 @@ int acquire_tpm2_key( + const void *blob; + int r; + ++ assert(salt || salt_size == 0); ++ + if (!device) { + r = tpm2_find_device_auto(&auto_device); + if (r == -ENODEV) +@@ -165,7 +167,7 @@ int acquire_tpm2_key( + if (r < 0) + return r; + +- if (salt) { ++ if (salt_size > 0) { + uint8_t salted_pin[SHA256_DIGEST_SIZE] = {}; + CLEANUP_ERASE(salted_pin); + +diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c +index 4e382f691e..1d2d4ddda4 100644 +--- a/src/shared/tpm2-util.c ++++ b/src/shared/tpm2-util.c +@@ -6041,6 +6041,7 @@ int tpm2_util_pbkdf2_hmac_sha256(const void *pass, + */ + static const uint8_t block_cnt[] = { 0, 0, 0, 1 }; + ++ assert (salt); + assert (saltlen > 0); + assert (saltlen <= (SIZE_MAX - sizeof(block_cnt))); + assert (passlen > 0); diff --git a/SOURCES/0730-cryptsetup-check-the-existence-of-salt-by-salt_size-.patch b/SOURCES/0730-cryptsetup-check-the-existence-of-salt-by-salt_size-.patch new file mode 100644 index 0000000..f3f286a --- /dev/null +++ b/SOURCES/0730-cryptsetup-check-the-existence-of-salt-by-salt_size-.patch @@ -0,0 +1,29 @@ +From d22cd36758db25eb9144fbe47f741cd1547b7d0e Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 17 Feb 2023 08:24:54 +0900 +Subject: [PATCH] cryptsetup: check the existence of salt by salt_size > 0 + +Follow-up for 504d0acf61c8472bc93c2a927e858074873b2eaf. + +The function may be called with non-NULL salt and salt_size == 0. + +(cherry picked from commit 8c2264abb9c16bc2933f95be299f15ee66c21181) + +Related: RHEL-40119 +--- + src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c +index e353e947aa..5230a84025 100644 +--- a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c ++++ b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c +@@ -58,7 +58,7 @@ int acquire_luks2_key( + return -ENOANO; + + /* If we're using a PIN, and the luks header has a salt, it better have a pin too */ +- if ((flags & TPM2_FLAGS_USE_PIN) && salt && !pin) ++ if ((flags & TPM2_FLAGS_USE_PIN) && salt_size > 0 && !pin) + return -ENOANO; + + if (pin && salt_size > 0) { diff --git a/SOURCES/0731-bootspec-fix-null-dereference-read.patch b/SOURCES/0731-bootspec-fix-null-dereference-read.patch new file mode 100644 index 0000000..8f5c950 --- /dev/null +++ b/SOURCES/0731-bootspec-fix-null-dereference-read.patch @@ -0,0 +1,38 @@ +From ebb3f05ef5d2bf3543e61047a658103baa293ca0 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Fri, 2 Dec 2022 14:30:22 +0900 +Subject: [PATCH] bootspec: fix null-dereference-read + +Fixes [oss-fuzz#53578](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53578). +Fixes #25450. + +(cherry picked from commit 46dc071985ff487f5ccf20808531168a6add73d3) + +Related: RHEL-40119 +--- + src/shared/bootspec.c | 2 ++ + ...lusterfuzz-testcase-minimized-fuzz-bootspec-5731869371269120 | 1 + + 2 files changed, 3 insertions(+) + create mode 100644 test/fuzz/fuzz-bootspec/clusterfuzz-testcase-minimized-fuzz-bootspec-5731869371269120 + +diff --git a/src/shared/bootspec.c b/src/shared/bootspec.c +index 61e20c40a8..7fe8845429 100644 +--- a/src/shared/bootspec.c ++++ b/src/shared/bootspec.c +@@ -996,6 +996,8 @@ static int boot_config_find(const BootConfig *config, const char *id) { + if (id[0] == '@') { + if (!strcaseeq(id, "@saved")) + return -1; ++ if (!config->entry_selected) ++ return -1; + id = config->entry_selected; + } + +diff --git a/test/fuzz/fuzz-bootspec/clusterfuzz-testcase-minimized-fuzz-bootspec-5731869371269120 b/test/fuzz/fuzz-bootspec/clusterfuzz-testcase-minimized-fuzz-bootspec-5731869371269120 +new file mode 100644 +index 0000000000..8804abd094 +--- /dev/null ++++ b/test/fuzz/fuzz-bootspec/clusterfuzz-testcase-minimized-fuzz-bootspec-5731869371269120 +@@ -0,0 +1 @@ ++{"config":"default @saved","loader":[""]} +\ No newline at end of file diff --git a/SPECS/systemd.spec b/SPECS/systemd.spec index 2b25abb..5dc6085 100644 --- a/SPECS/systemd.spec +++ b/SPECS/systemd.spec @@ -12,6 +12,10 @@ %global system_unit_dir %{pkgdir}/system %global user_unit_dir %{pkgdir}/user +# defining macros needed by SELinux +%global selinuxtype targeted +%global modulename systemd-container-coredump + # Bootstrap may be needed to break intercircular dependencies with # cryptsetup, e.g. when re-building cryptsetup on a json-c SONAME-bump. %bcond_with bootstrap @@ -21,7 +25,7 @@ Name: systemd Url: https://systemd.io Version: 252 -Release: 32%{?dist} +Release: 32%{?dist}.6 # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -70,6 +74,8 @@ Source25: rc.local %global rhel_nns_version 0.5 Source26: https://gitlab.com/mschmidt2/rhel-net-naming-sysattrs/-/archive/v%{rhel_nns_version}/rhel-net-naming-sysattrs-v%{rhel_nns_version}.tar.gz +Source27: %{modulename}.pp.bz2 + %if 0 GIT_DIR=../../src/systemd/.git git format-patch-ab --no-signature -M -N v235..v235-stable i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done|xclip @@ -799,6 +805,21 @@ Patch0713: 0713-random-seed-don-t-refresh-EFI-random-seed-from-rando.patch Patch0714: 0714-bootctl-downgrade-graceful-messages-to-LOG_NOTICE.patch Patch0715: 0715-units-rename-rework-systemd-boot-system-token.servic.patch Patch0716: 0716-bootctl-split-out-setting-of-system-token-into-funct.patch +Patch0717: 0717-execute-Pass-AT_FDCWD-instead-of-1.patch +Patch0718: 0718-coredump-generate-stacktraces-also-for-processes-run.patch +Patch0719: 0719-test-add-a-couple-of-tests-for-systemd-coredump.patch +Patch0720: 0720-test-don-t-expand-the-subshell-expression-prematurel.patch +Patch0721: 0721-coredump-filter-fix-stack-overflow-with-all.patch +Patch0722: 0722-coredump-filter-add-mask-for-all-using-UINT32_MAX-no.patch +Patch0723: 0723-test-add-coverage-for-CoredumpFilter-all.patch +Patch0724: 0724-test-rotate-journal-before-storing-coredumps.patch +Patch0725: 0725-test-sync-with-the-fake-binary-before-killing-it.patch +Patch0726: 0726-test-check-coredump-handling-in-containers-namespace.patch +Patch0727: 0727-ukify-make-the-test-happy-with-the-latest-OpenSSL.patch +Patch0728: 0728-kernel-install-fix-uki-copy-deinstall.patch +Patch0729: 0729-cryptsetup-do-not-assert-when-unsealing-token-withou.patch +Patch0730: 0730-cryptsetup-check-the-existence-of-salt-by-salt_size-.patch +Patch0731: 0731-bootspec-fix-null-dereference-read.patch # Downstream-only patches (9000–9999) @@ -867,11 +888,17 @@ BuildRequires: git-core %if 0%{?have_gnu_efi} BuildRequires: gnu-efi gnu-efi-devel %endif +BuildRequires: selinux-policy-devel Requires(post): coreutils Requires(post): sed Requires(post): acl Requires(post): grep + +# selinux +Requires(post): libselinux-utils +Requires(post): policycoreutils + # systemd-machine-id-setup requires libssl Requires(post): openssl-libs Requires(pre): coreutils @@ -1362,6 +1389,9 @@ install -m 0644 -D -t %{buildroot}%{_rpmconfigdir}/fileattrs/ %{SOURCE22} install -m 0755 -D -t %{buildroot}%{_rpmconfigdir}/ %{SOURCE23} install -m 0755 -D -t %{buildroot}%{_rpmconfigdir}/ %{SOURCE24} +# install policy modules +install -m 0644 -D -t %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/ %{SOURCE27} + %find_lang %{name} # Split files in build root into rpms. See split-files.py for the @@ -1464,6 +1494,9 @@ chmod g+s /{run,var}/log/journal/{,${machine_id}} &>/dev/null || : # Apply ACL to the journal directory setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/ &>/dev/null || : +# Install our own selinux-policy module that allows systemd-coredump access to containers +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2 + [ $1 -eq 1 ] || exit 0 # We reset the enablement of all services upon initial installation @@ -1608,6 +1641,7 @@ systemd-hwdb update &>/dev/null || : %global _docdir_fmt %{name} %files -f %{name}.lang -f .file-list-main +%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.* %doc %{_pkgdocdir} %exclude %{_pkgdocdir}/LICENSE.* %license LICENSE.GPL2 LICENSE.LGPL2.1 @@ -1627,6 +1661,7 @@ systemd-hwdb update &>/dev/null || : %ghost %dir %attr(0755,-,-) /etc/systemd/system/system-update.target.wants %ghost %dir %attr(0755,-,-) /etc/systemd/system/timers.target.wants %ghost %dir %attr(0755,-,-) /var/lib/rpm-state/systemd +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} %files libs -f .file-list-libs %license LICENSE.LGPL2.1 @@ -1664,6 +1699,35 @@ systemd-hwdb update &>/dev/null || : %{_prefix}/lib/dracut/modules.d/70rhel-net-naming-sysattrs/* %changelog +* Wed Jun 12 2024 systemd maintenance team - 252-32.6 +- cryptsetup: do not assert when unsealing token without salt (RHEL-40119) +- cryptsetup: check the existence of salt by salt_size > 0 (RHEL-40119) +- bootspec: fix null-dereference-read (RHEL-40119) + +* Wed May 22 2024 Jan Macku - 252-32.5 +- spec: return selinux dependencies (RHEL-36471) + +* Mon May 20 2024 systemd maintenance team - 252-32.4 +- kernel-install: fix uki-copy deinstall (RHEL-35994) + +* Wed May 15 2024 Jan Macku - 252-32.3 +- remove selinux post-requires for python (RHEL-36471) + +* Fri Apr 26 2024 systemd maintenance team - 252-32.2 +- coredump: generate stacktraces also for processes running in containers w/o coredump forwarding (RHEL-34061) +- test: add a couple of tests for systemd-coredump (RHEL-34061) +- test: don't expand the subshell expression prematurely (RHEL-34061) +- coredump filter: fix stack overflow with =all (RHEL-34061) +- coredump filter: add mask for 'all' using UINT32_MAX, not UINT64_MAX (RHEL-34061) +- test: add coverage for CoredumpFilter=all (RHEL-34061) +- test: rotate journal before storing coredumps (RHEL-34061) +- test: sync with the fake binary before killing it (RHEL-34061) +- test: check coredump handling in containers & namespaces (RHEL-34061) +- ukify: make the test happy with the latest OpenSSL (RHEL-34061) + +* Thu Apr 11 2024 systemd maintenance team - 252-32.1 +- execute: Pass AT_FDCWD instead of -1 (RHEL-32259) + * Mon Mar 18 2024 Jan Macku - 252-32 - rebase rhel-net-naming-sysattrs to v0.5