From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 5 Jan 2024 15:41:24 +0000 (+0100)
Subject: nspawn: lock down access to notify socket a bit
X-Git-Tag: v256-rc1~1252
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6db53d20f5833570488aef2ae27489bbfdfd3f41;p=thirdparty%2Fsystemd.git

nspawn: lock down access to notify socket a bit

On Linux only the "w" access bit is necessary to connect to an AF_UNIX
socket, hence let's only set that and nothing else, to limit exposure.

Just paranoia.
---

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 53e49c4b36c..839b90cc5dd 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -3593,9 +3593,11 @@ static int setup_notify_child(void) {
         (void) mkdir_parents(NSPAWN_NOTIFY_SOCKET_PATH, 0755);
         (void) sockaddr_un_unlink(&sa.un);
 
-        r = bind(fd, &sa.sa, SOCKADDR_UN_LEN(sa.un));
-        if (r < 0)
-                return log_error_errno(errno, "bind(" NSPAWN_NOTIFY_SOCKET_PATH ") failed: %m");
+        WITH_UMASK(0577) { /* only set "w" bit, which is all that's necessary for connecting from the container */
+                r = bind(fd, &sa.sa, SOCKADDR_UN_LEN(sa.un));
+                if (r < 0)
+                        return log_error_errno(errno, "bind(" NSPAWN_NOTIFY_SOCKET_PATH ") failed: %m");
+        }
 
         r = userns_lchown(NSPAWN_NOTIFY_SOCKET_PATH, 0, 0);
         if (r < 0)