From: Zbigniew Jędrzejewski-Szmek Date: Mon, 5 May 2025 13:48:40 +0000 (+0200) Subject: coredump: also stop forwarding non-dumpable processes X-Git-Tag: v258-rc1~448^2~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8fc7b2a211eb13ef1a94250b28e1c79cab8bdcb9;p=thirdparty%2Fsystemd.git coredump: also stop forwarding non-dumpable processes See the comment in the patch for details. Suggested-by: Qualys Security Advisory --- diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c index bfb7db9d284..29ab5eca9a2 100644 --- a/src/coredump/coredump.c +++ b/src/coredump/coredump.c @@ -1564,13 +1564,23 @@ static int receive_ucred(int transport_fd, struct ucred *ret_ucred) { return 0; } -static int can_forward_coredump(const PidRef *pid) { +static int can_forward_coredump(Context *context, const PidRef *pid) { _cleanup_free_ char *cgroup = NULL, *path = NULL, *unit = NULL; int r; + assert(context); assert(pidref_is_set(pid)); assert(!pidref_is_remote(pid)); + /* We don't use %F/pidfd to pin down the crashed process yet. We need to avoid a situation where the + * attacker crashes a SUID process or a root daemon and quickly replaces it with a namespaced process + * and we forward the initial part of the coredump to the attacker, inside the namespace. + * + * TODO: relax this check when %F is implemented and used. + */ + if (context->dumpable != 1) + return false; + r = cg_pidref_get_path(SYSTEMD_CGROUP_CONTROLLER, pid, &cgroup); if (r < 0) return r; @@ -1615,7 +1625,7 @@ static int forward_coredump_to_container(Context *context) { if (r < 0) return log_debug_errno(r, "Failed to get namespace leader: %m"); - r = can_forward_coredump(&leader_pid); + r = can_forward_coredump(context, &leader_pid); if (r < 0) return log_debug_errno(r, "Failed to check if coredump can be forwarded: %m"); if (r == 0)