Revert "coredump: lock down EnterNamespace= mount even more"

This reverts commit 4c9c8b8d09. Reverted change broke EnterNamespace= completely. For example, libdw tries to access libc in /lib64 which points to usr/lib64 and that fails. Similarly for binaries, we need to be able to resolve /bin to usr/bin and /sbin to usr/sbin at the very least.
2026-04-14 00:14:32 +09:00 · 2025-03-14 09:16:17 +01:00
parent b525942037
commit 8f8148cb08
1 changed files with 7 additions and 4 deletions
--- a/src/coredump/coredump.c
+++ b/src/coredump/coredump.c
@@ -833,10 +833,13 @@ static int attach_mount_tree(int mount_tree_fd) {
                return log_warning_errno(r, "Failed to create directory: %m");

        r = mount_setattr(mount_tree_fd, "", AT_EMPTY_PATH,
-                                &(struct mount_attr) {
-                                        .attr_set = MOUNT_ATTR_RDONLY|MOUNT_ATTR_NOSUID|MOUNT_ATTR_NODEV|MOUNT_ATTR_NOEXEC|MOUNT_ATTR_NOSYMFOLLOW,
-                                        .propagation = MS_SLAVE,
-                                }, sizeof(struct mount_attr));
+                          &(struct mount_attr) {
+                                  /* MOUNT_ATTR_NOSYMFOLLOW is left out on purpose to allow libdwfl to resolve symlinks.
+                                   * libdwfl will use openat2() with RESOLVE_IN_ROOT so there is no risk of symlink escape.
+                                   * https://sourceware.org/git/?p=elfutils.git;a=patch;h=06f0520f9a78b07c11c343181d552791dd630346 */
+                                  .attr_set = MOUNT_ATTR_RDONLY|MOUNT_ATTR_NOSUID|MOUNT_ATTR_NODEV|MOUNT_ATTR_NOEXEC,
+                                  .propagation = MS_SLAVE,
+                          }, sizeof(struct mount_attr));
        if (r < 0)
                return log_warning_errno(errno, "Failed to change properties of mount tree: %m");