fix(nspawn): make files exposed in /run/host/ read-only via access mode#73
fix(nspawn): make files exposed in /run/host/ read-only via access mode#73deepin-ci-robot wants to merge 1 commit into
Conversation
The directory /run/host/ is mounted read-only anyway, but let's lock down the container-manager and container-uuid files on every level possible by adding a new WRITE_STRING_FILE_MODE_0444 flag and using it when writing these files in nspawn. Changes: - Add debian/patches/fix-nspawn-restrict-run-host-files-read-only.patch - Modify debian/patches/series - Modify debian/changelog Upstream: systemd/systemd#30791 Generated-By: glm-5-turbo Co-Authored-By: deepin-ci-robot <packages@deepin.org>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
TAG Bot TAG: 255.2-4deepin37 |
|
这个 patch 由两部分组成,共同完成一个小的安全加固: Patch 1/2:给 write_string_file() 新增 WRITE_STRING_FILE_MODE_0444 标志 原来write_string_file() 创建文件时只支持两种权限模式: 0600(仅 root 可读写) 同时注意 WRITE_STRING_FILE_SUPPRESS_REDUNDANT_VIRTUAL 的bit 位从 1 << 11 后移到 1 << 12,给新flag 腾出位置。 Patch 2/2:在 nspawn 中对两个 /run/host/ 文件使用新标志 对容器内的两个元数据文件: /run/host/container-manager(容器类型名) 目的:虽然 /run/host/ 目录本身就是只读挂载的,这两个文件实际上已经无法被修改,但在文件权限层面也同步设置为只读,做到多层防御(defense in depth)——即使目录的只读挂载以某种方式被绕过,文件本身的权限也能提供一道保护。 总结:这是一个小型安全加固 patch,核心是给只读元数据文件在inode 权限层面也标记为 0444,消除不必要的写权限。 |
2 participants
Summary
Backport upstream PR #30791: Make files exposed in
/run/host/in nspawn read-only via access mode. Adds a newWRITE_STRING_FILE_MODE_0444flag and uses it when writingcontainer-managerandcontainer-uuidfiles to lock them down on every level.Changes
Upstream
systemd/systemd@9807ee19b077112819e96b62b6835453696362d7
systemd/systemd@05794f5c48b806ddf7e932ed9b0a72e39b641971
systemd/systemd@2148c669d2fe8352ed3b4c1d42e55d90ecc4b68d
Generated-By: glm-5-turbo
Co-Authored-By: deepin-ci-robot packages@deepin.org