coredump: also stop forwarding non-dumpable processes

See the comment in the patch for details.

Suggested-by: Qualys Security Advisory <qsa@qualys.com>

diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c
index bfb7db9d2843cf73c6d7bf65a281e8a59045a3ca..29ab5eca9a2fe7bb4fbf339df62017cd9ee95844 100644 (file)
--- a/src/coredump/coredump.c
+++ b/src/coredump/coredump.c
@@ -1564,13 +1564,23 @@ static int receive_ucred(int transport_fd, struct ucred *ret_ucred) {
         return 0;
 }
 
-static int can_forward_coredump(const PidRef *pid) {
+static int can_forward_coredump(Context *context, const PidRef *pid) {
         _cleanup_free_ char *cgroup = NULL, *path = NULL, *unit = NULL;
         int r;
 
+        assert(context);
         assert(pidref_is_set(pid));
         assert(!pidref_is_remote(pid));
 
+        /* We don't use %F/pidfd to pin down the crashed process yet. We need to avoid a situation where the
+         * attacker crashes a SUID process or a root daemon and quickly replaces it with a namespaced process
+         * and we forward the initial part of the coredump to the attacker, inside the namespace.
+         *
+         * TODO: relax this check when %F is implemented and used.
+         */
+        if (context->dumpable != 1)
+                return false;
+
         r = cg_pidref_get_path(SYSTEMD_CGROUP_CONTROLLER, pid, &cgroup);
         if (r < 0)
                 return r;
@@ -1615,7 +1625,7 @@ static int forward_coredump_to_container(Context *context) {
         if (r < 0)
                 return log_debug_errno(r, "Failed to get namespace leader: %m");
 
-        r = can_forward_coredump(&leader_pid);
+        r = can_forward_coredump(context, &leader_pid);
         if (r < 0)
                 return log_debug_errno(r, "Failed to check if coredump can be forwarded: %m");
         if (r == 0)