Fixes #26413: the docs said that the filter prevents writes, but it just a
filter at the system call level, and some of those calls are used for writing
and reading. This is confusing esp. when a higher level library call like
ntp_gettime() is denied.
I don't think it's realistic that we'll make the filter smarter in the near
future, so let's change the docs to describe the implementation.
Also, split out the advice part into a separate paragraph.
Unlike most other bus connections in our codebase this one is created
manually and every setting set invididually. It hence does not have a
description by default (as all automatic connections have). Set one
explicitly.
sd-bus: use the new information in the client's sockaddr in the creds structure
Now that clients might convey comm/description strings via the sockaddr,
let's actually use them on the other side, read the data via
getpeername() parse it, and include it in the "owner" creds (which is
how we call the peer's creds).
Frantisek Sumsal [Mon, 15 May 2023 18:25:43 +0000 (20:25 +0200)]
nspawn: fix a global-buffer-overflow
Whoopsie.
=================================================================
==3789231==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000051d0b8 at pc 0x7f70850bc904 bp 0x7ffd9bbdf660 sp 0x7ffd9bbdf658
READ of size 8 at 0x00000051d0b8 thread T0
#0 0x7f70850bc903 in json_dispatch ../src/shared/json.c:4347
#1 0x4a5b54 in oci_seccomp_syscalls ../src/nspawn/nspawn-oci.c:1838
#2 0x7f70850bd359 in json_dispatch ../src/shared/json.c:4395
#3 0x4a668c in oci_seccomp ../src/nspawn/nspawn-oci.c:1905
#4 0x7f70850bd359 in json_dispatch ../src/shared/json.c:4395
#5 0x4a7d8c in oci_linux ../src/nspawn/nspawn-oci.c:2030
#6 0x7f70850bd359 in json_dispatch ../src/shared/json.c:4395
#7 0x4aa31c in oci_load ../src/nspawn/nspawn-oci.c:2198
#8 0x446cec in load_oci_bundle ../src/nspawn/nspawn.c:4744
#9 0x44ffa7 in run ../src/nspawn/nspawn.c:5477
#10 0x4552fb in main ../src/nspawn/nspawn.c:5920
#11 0x7f7083a4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)
#12 0x7f7083a4a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8)
#13 0x40d284 in _start (/home/fsumsal/repos/@systemd/systemd/build-san/systemd-nspawn+0x40d284)
0x00000051d0b8 is located 40 bytes to the left of global variable 'bus_standard_errors_copy_0' defined in '../src/libsystemd/sd-bus/bus-error.h:57:1' (0x51d0e0) of size 8
0x00000051d0b8 is located 0 bytes to the right of global variable 'table' defined in '../src/nspawn/nspawn-oci.c:1829:43' (0x51d040) of size 120
SUMMARY: AddressSanitizer: global-buffer-overflow ../src/shared/json.c:4347 in json_dispatch
Shadow bytes around the buggy address:
0x00008009b9c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008009b9d0: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x00008009b9e0: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x00008009b9f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008009ba00: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
=>0x00008009ba10: 00 00 00 00 00 00 00[f9]f9 f9 f9 f9 00 f9 f9 f9
0x00008009ba20: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x00008009ba30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008009ba40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008009ba50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008009ba60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3789231==ABORTING
Frantisek Sumsal [Mon, 15 May 2023 17:45:13 +0000 (19:45 +0200)]
nspawn: call json_dispatch() with a correct pointer
Otherwise hilarity ensues:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==722==ERROR: AddressSanitizer: SEGV on unknown address 0xffffffff00000000 (pc 0x7f8d50ca9ffb bp 0x7fff11b0d4a0 sp 0x7fff11b0cc30 T0)
==722==The signal is caused by a READ memory access.
#0 0x7f8d50ca9ffb in __interceptor_strcmp.part.0 (/lib64/libasan.so.8+0xa9ffb)
#1 0x7f8d4f9cf5a1 in strcmp_ptr ../src/fundamental/string-util-fundamental.h:33
#2 0x7f8d4f9cf5f8 in streq_ptr ../src/fundamental/string-util-fundamental.h:46
#3 0x7f8d4f9d74d2 in free_and_strdup ../src/basic/string-util.c:948
#4 0x49139a in free_and_strdup_warn ../src/basic/string-util.h:197
#5 0x4923eb in oci_absolute_path ../src/nspawn/nspawn-oci.c:139
#6 0x7f8d4f6bd359 in json_dispatch ../src/shared/json.c:4395
#7 0x4a8831 in oci_hooks_array ../src/nspawn/nspawn-oci.c:2089
#8 0x7f8d4f6bd359 in json_dispatch ../src/shared/json.c:4395
#9 0x4a8b56 in oci_hooks ../src/nspawn/nspawn-oci.c:2112
#10 0x7f8d4f6bd359 in json_dispatch ../src/shared/json.c:4395
#11 0x4aa298 in oci_load ../src/nspawn/nspawn-oci.c:2197
#12 0x446cec in load_oci_bundle ../src/nspawn/nspawn.c:4744
#13 0x44ffa7 in run ../src/nspawn/nspawn.c:5477
#14 0x4552fb in main ../src/nspawn/nspawn.c:5920
#15 0x7f8d4e04a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)
#16 0x7f8d4e04a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8)
#17 0x40d284 in _start (/usr/bin/systemd-nspawn+0x40d284)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib64/libasan.so.8+0xa9ffb) in __interceptor_strcmp.part.0
==722==ABORTING
Frantisek Sumsal [Tue, 16 May 2023 06:18:32 +0000 (08:18 +0200)]
nspawn: avoid NULL pointer dereference
When merging the settings we take the pointer to the array of extra
devices, but don't reset the array counter to zero. This later leads to
a NULL pointer dereference, where device_node_array_free() attempts to
loop over a NULL pointer:
+ systemd-nspawn --oci-bundle=/var/lib/machines/testsuite-13.oci-bundle.Npo
../src/nspawn/nspawn-settings.c:118:29: runtime error: member access within null pointer of type 'struct DeviceNode'
#0 0x4b91ee in device_node_array_free ../src/nspawn/nspawn-settings.c:118
#1 0x4ba42a in settings_free ../src/nspawn/nspawn-settings.c:161
#2 0x410b79 in settings_freep ../src/nspawn/nspawn-settings.h:249
#3 0x446ce8 in load_oci_bundle ../src/nspawn/nspawn.c:4733
#4 0x44ff42 in run ../src/nspawn/nspawn.c:5476
#5 0x455296 in main ../src/nspawn/nspawn.c:5919
#6 0x7f0cb7a4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)
#7 0x7f0cb7a4a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8)
#8 0x40d284 in _start (/usr/bin/systemd-nspawn+0x40d284)
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/nspawn/nspawn-settings.c:118:29 in
Also, add an appropriate assert to catch such issues in the future.
sd-bus: bind outgoing AF_UNIX sockets to abstract addresses conveying client comm + bus description string
Let's pass some additional meta information along bus connections
without actually altering the communication protocol.
Pass the client comm and client description string of the bus via
including it in the abstract namespace client socket address we connect
to. This is purely informational (and entirely user controlled), but has
the benefit that servers can make use of the information if they want,
but really don't have to. It works entirely transparently.
This takes inspiration from how we convey similar information via
credential socket connections.
Yu Watanabe [Tue, 16 May 2023 03:28:23 +0000 (12:28 +0900)]
udev/net: assign alternative names only on add uevent
Previously, we first assign alternative names to a network interface,
then later change its main name if requested. So, we could not assign
the name that currently assigned as the main name of an interface as an
alternative name. So, we retry to assign the previous main name as an
alternative name on later move uevent.
However, that causes some confusing situation. E.g. if a .link file has
```
Name=foo
AlternativeNames=foo baz
```
then even if the interface is renamed by a user e.g. by invoking 'ip link'
command manually, the interface can be still referenced as 'foo', as the
name is now assigned as an alternative name.
This makes the order of name assignment inverse: the main name is first
changed, and then the requested alternative names are assigned. And
udevd do not assign alternative names on move uevent.
namespace: introduce a common dir in /run/ that we can use to see new root fs up on
This creates a new dir /run/systemd/mount-rootfs/ early in PID 1 that
thus always exists. It's supposed to be used by any code that creates
its own mount namespace and then sets up a new root dir to switch into.
So far in many cases we used a temporary dir (which needed explicit
clean-up) or a purpose-specific fixed dir.
Let's create a common dir instead, that always exists (as it is created
in PID 1 early on, always).
Besides making things more robust, as manual clean-up of the inode is
not necessary anymore this also opens the door for unprivileged programs
to use the same dir, since it now always exists.
Set the access mode to 555 (instead of the otherwise previously used
0755, 0700 or similar), so that unprivileged programs can access it, but
we make clear it's not supposed to be written directly to, by anyone,
not even root.
In https://github.com/systemd/systemd/pull/27637#issuecomment-1547517316
we discussed disclaiming warranty when distros do version mixing.
But to make this disclaimer meaningful, we need to document what options are
available.
Before libsystemd-daemon, libsystemd-journal, libsystemd-id128, etc., were
merged into libsystemd, it was enough to have individual man pages for them.
But they have been delivered as one thing for many years, so it's better to
have a landing page for libsystemd. It mostly directs to individual pages
anyway.
Daan De Meyer [Mon, 15 May 2023 12:08:22 +0000 (14:08 +0200)]
mkosi: Drop squashfs dropin
This accidentally got pulled into a commit even though it was only
for local testing, let's drop it again so we correctly use erofs
when building local images.
Daan De Meyer [Mon, 15 May 2023 09:54:14 +0000 (11:54 +0200)]
mkosi: Install tmux in the final image
We currently have to resort to SSH to get more than one interactive
terminal in a mkosi qemu VM. Let's increase our options by installing
tmux in the final image, which can multiplex the serial console into
many unique terminal sessions.
Daan De Meyer [Wed, 10 May 2023 13:16:09 +0000 (15:16 +0200)]
machine-id-setup: Do not overwrite if /etc/machine-id contains uninitialized
When we're building OS images, we never want /etc/machine-id to contain
anything other than "uninitialized" until we actually boot the image. So
let's allow image builders to write "uninitialized" to /etc/machine-id
and if systemd-machine-id-setup is called after, make sure we don't
overwrite it.