From: Mike Yuan <me@yhndnzj.com>
Date: Wed, 4 Sep 2024 13:36:52 +0000 (+0200)
Subject: core/namespace: make bind mounted journal sockets nosuid + noexec + nodev
X-Git-Tag: v257-rc1~553^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=95f9e85aaae5835de8f3ef9d74d460ae2ad13f0f;p=thirdparty%2Fsystemd.git

core/namespace: make bind mounted journal sockets nosuid + noexec + nodev

Addresses https://github.com/systemd/systemd/pull/32487#discussion_r1743464797
---

diff --git a/src/core/namespace.c b/src/core/namespace.c
index 940052b0454..026018438c8 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -121,9 +121,9 @@ typedef struct MountList {
 } MountList;
 
 static const BindMount bind_journal_sockets_table[] = {
-        { (char*) "/run/systemd/journal/socket",  (char*) "/run/systemd/journal/socket",  .read_only = true, .ignore_enoent = true },
-        { (char*) "/run/systemd/journal/stdout",  (char*) "/run/systemd/journal/stdout",  .read_only = true, .ignore_enoent = true },
-        { (char*) "/run/systemd/journal/dev-log", (char*) "/run/systemd/journal/dev-log", .read_only = true, .ignore_enoent = true },
+        { (char*) "/run/systemd/journal/socket",  (char*) "/run/systemd/journal/socket",  .read_only = true, .nosuid = true, .noexec = true, .nodev = true, .ignore_enoent = true },
+        { (char*) "/run/systemd/journal/stdout",  (char*) "/run/systemd/journal/stdout",  .read_only = true, .nosuid = true, .noexec = true, .nodev = true, .ignore_enoent = true },
+        { (char*) "/run/systemd/journal/dev-log", (char*) "/run/systemd/journal/dev-log", .read_only = true, .nosuid = true, .noexec = true, .nodev = true, .ignore_enoent = true },
 };
 
 /* If MountAPIVFS= is used, let's mount /sys, /proc, /dev and /run into the it, but only as a fallback if the user hasn't mounted
@@ -447,6 +447,8 @@ static int append_bind_mounts(MountList *ml, const BindMount *binds, size_t n) {
                         .mode = b->recursive ? MOUNT_BIND_RECURSIVE : MOUNT_BIND,
                         .read_only = b->read_only,
                         .nosuid = b->nosuid,
+                        .noexec = b->noexec,
+                        .flags = b->nodev ? MS_NODEV : 0,
                         .source_const = b->source,
                         .ignore = b->ignore_enoent,
                 };
@@ -2797,7 +2799,9 @@ int bind_mount_add(BindMount **b, size_t *n, const BindMount *item) {
                 .source = TAKE_PTR(s),
                 .destination = TAKE_PTR(d),
                 .read_only = item->read_only,
+                .nodev = item->nodev,
                 .nosuid = item->nosuid,
+                .noexec = item->noexec,
                 .recursive = item->recursive,
                 .ignore_enoent = item->ignore_enoent,
         };
diff --git a/src/core/namespace.h b/src/core/namespace.h
index 538d23753c2..b05daa669e9 100644
--- a/src/core/namespace.h
+++ b/src/core/namespace.h
@@ -65,7 +65,9 @@ struct BindMount {
         char *source;
         char *destination;
         bool read_only;
+        bool nodev;
         bool nosuid;
+        bool noexec;
         bool recursive;
         bool ignore_enoent;
 };