1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
|
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#include <sys/utsname.h>
#include "alloc-util.h"
#include "cgroup-util.h"
#include "clock-util.h"
#include "errno-util.h"
#include "fileio.h"
#include "fs-util.h"
#include "log.h"
#include "os-util.h"
#include "path-util.h"
#include "strv.h"
#include "taint.h"
#include "uid-range.h"
static int short_uid_gid_range(UIDRangeUsernsMode mode) {
_cleanup_(uid_range_freep) UIDRange *p = NULL;
int r;
/* Taint systemd if we the UID/GID range assigned to this environment doesn't at least cover 0…65534,
* i.e. from root to nobody. */
r = uid_range_load_userns(/* path= */ NULL, mode, &p);
if (ERRNO_IS_NEG_NOT_SUPPORTED(r))
return false;
if (r < 0)
return log_debug_errno(r, "Failed to load uid_map or gid_map: %m");
return !uid_range_covers(p, 0, 65535);
}
char* taint_string(void) {
const char *stage[12] = {};
size_t n = 0;
/* Returns a "taint string", e.g. "local-hwclock:var-run-bad". Only things that are detected at
* runtime should be tagged here. For stuff that is known during compilation, emit a warning in the
* configuration phase. */
_cleanup_free_ char *bin = NULL, *usr_sbin = NULL, *var_run = NULL;
if (readlink_malloc("/bin", &bin) < 0 || !PATH_IN_SET(bin, "usr/bin", "/usr/bin"))
stage[n++] = "unmerged-usr";
/* Note that the check is different from default_PATH(), as we want to taint on uncanonical symlinks
* too. */
if (readlink_malloc("/usr/sbin", &usr_sbin) < 0 || !PATH_IN_SET(usr_sbin, "bin", "/usr/bin"))
stage[n++] = "unmerged-bin";
if (readlink_malloc("/var/run", &var_run) < 0 || !PATH_IN_SET(var_run, "../run", "/run"))
stage[n++] = "var-run-bad";
if (cg_all_unified() == 0)
stage[n++] = "cgroupsv1";
if (clock_is_localtime(NULL) > 0)
stage[n++] = "local-hwclock";
if (os_release_support_ended(NULL, /* quiet= */ true, NULL) > 0)
stage[n++] = "support-ended";
struct utsname uts;
assert_se(uname(&uts) >= 0);
if (strverscmp_improved(uts.release, KERNEL_BASELINE_VERSION) < 0)
stage[n++] = "old-kernel";
_cleanup_free_ char *overflowuid = NULL, *overflowgid = NULL;
if (read_one_line_file("/proc/sys/kernel/overflowuid", &overflowuid) >= 0 &&
!streq(overflowuid, "65534"))
stage[n++] = "overflowuid-not-65534";
if (read_one_line_file("/proc/sys/kernel/overflowgid", &overflowgid) >= 0 &&
!streq(overflowgid, "65534"))
stage[n++] = "overflowgid-not-65534";
if (short_uid_gid_range(UID_RANGE_USERNS_INSIDE) > 0)
stage[n++] = "short-uid-range";
if (short_uid_gid_range(GID_RANGE_USERNS_INSIDE) > 0)
stage[n++] = "short-gid-range";
assert(n < ELEMENTSOF(stage) - 1); /* One extra for NULL terminator */
return strv_join((char**) stage, ":");
}
|
