coredump: also stop forwarding non-dumpable processes

See the comment in the patch for details.

Suggested-by: Qualys Security Advisory <qsa@qualys.com>
(cherry-picked from 8fc7b2a211eb13ef1a94250b28e1c79cab8bdcb9)
(cherry-picked from 101058955eb41023e0dba5766f6bfb190ebbb4f6)

diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c
index bb1c6ec3833f3f352c6d6cdf6146ee7d47e83f72..21555ccd28581fa26993ad9bf926b2fe37e26609 100644 (file)
--- a/src/coredump/coredump.c
+++ b/src/coredump/coredump.c
@@ -1414,10 +1414,21 @@ static int receive_ucred(int transport_fd, struct ucred *ret_ucred) {
         return 0;
 }
 
-static int can_forward_coredump(pid_t pid) {
+static int can_forward_coredump(Context *context, pid_t pid) {
         _cleanup_free_ char *cgroup = NULL, *path = NULL, *unit = NULL;
         int r;
 
+        assert(context);
+
+        /* We don't use %F/pidfd to pin down the crashed process yet. We need to avoid a situation where the
+         * attacker crashes a SUID process or a root daemon and quickly replaces it with a namespaced process
+         * and we forward the initial part of the coredump to the attacker, inside the namespace.
+         *
+         * TODO: relax this check when %F is implemented and used.
+         */
+        if (context->dumpable != 1)
+                return false;
+
         r = cg_pid_get_path(SYSTEMD_CGROUP_CONTROLLER, pid, &cgroup);
         if (r < 0)
                 return r;
@@ -1459,7 +1470,7 @@ static int forward_coredump_to_container(Context *context) {
         if (r < 0)
                 return log_debug_errno(r, "Failed to get namespace leader: %m");
 
-        r = can_forward_coredump(pid);
+        r = can_forward_coredump(context, pid);
         if (r < 0)
                 return log_debug_errno(r, "Failed to check if coredump can be forwarded: %m");
         if (r == 0)