For MountImages=, if the source is a block device, it will most likely reside
in /dev. It should be also possible to mount a static device file system in
place of (or part of) /dev. So let's allow paths starting with /dev as an
exception for MountImages=.
In various contexts it's a bit icky to allow paths below /proc/, /sys/,
/dev/ i.e. file hierarchies where API VFS are placed. Let's add a new
flag for path_simplify_and_warn() to check for this and refuse a path if
in these paths.
Enable this when parsing WorkingDirectory=.
This is inspired by CVE-2024-21626, which uses trickery around the cwd
and /proc/self/fd/.
AFAICS we are not actually vulnerable to the same issue as explained in
the CVE since we execute the WorkingDirectory= setting very late, i.e.
long after we set up the new mount namespace. But let's filter out icky
stuff better earlier than later, as extra safety precaution.
This patch adds a new parameter to parse_ip_port_range, giving callers
the option to allow ranges to have their min be 0 instead of 1.
This is then used by parse_ip_ports_token, intern used by
parse_socket_bind_item to allow port 0 when restricting bind system
calls with SocketBindDeny / SocketBindAllow.
With this, users running server software written using the golang
standard library will be able to effectively sandbox their software,
albeit with a small loss in security protections by allowing the
process to bind on a random port in the
/proc/sys/net/ipv4/ip_local_port_range.
That file only exported one function, and it fits nicely within the scope of
"parse helpers". Let's move it there to reduce the file count a bit.
No functional change.
This is a high-level function, and it belongs in libsystemd-shared. This way we
don't end up linking a separate copy into various binaries. It would even end
up in libsystemd, where it is not needed. (Maybe it'd be removed in some
optimization phase, but it's better to not rely on that.)
$ grep -l -r -a 'path is not absolute%s' build/
build/libnss_systemd.so.2
build/pam_systemd_home.so
build/test-dlopen
build/src/basic/libbasic.a.p/path-util.c.o
build/src/basic/libbasic.a
build/src/shared/libsystemd-shared-249.so
build/test-bus-error
build/libnss_mymachines.so.2
build/pam_systemd.so
build/libnss_resolve.so.2
build/libnss_myhostname.so.2
build/libsystemd.so.0.32.0
build/libudev.so.1.7.2
$ grep -l -r -a 'path is not absolute%s' build/
build/src/shared/libsystemd-shared-251.a.p/parse-helpers.c.o
build/src/shared/libsystemd-shared-251.a
build/src/shared/libsystemd-shared-251.so
No functional change.
