Accepting request 1130687 from home:ohollmann:branches:security

- Remove haveged-switch-root.service because it's implemented incorrectly and neither upstream don't know how to fix it (#77). On the other hand, without this service haveged will be started from scratch after switch root so it's hopefully no big deal. Also remove patch for bsc#1203079 as it's considered as a security threat because of creating fixed name file in world-writable directory. [jsc#PED-6184, bsc#1206699] * Remove - haveged-switch-root.service - haveged-switch-root.patch OBS-URL: https://build.opensuse.org/request/show/1130687 OBS-URL: https://build.opensuse.org/package/show/security/haveged?expand=0&rev=149
2023-12-04 09:40:17 +00:00 · 2023-12-04 09:40:17 +00:00 · 5eba5ca9bf
commit 5eba5ca9bf
parent 858bf80d64
5 changed files with 15 additions and 242 deletions
--- a/haveged-dracut.module
+++ b/haveged-dracut.module
@ -16,11 +16,9 @@ installkernel() {
 install() {
    inst_multiple -o \
        /usr/sbin/haveged \
-        $systemdsystemunitdir/haveged.service \
+        $systemdsystemunitdir/haveged.service
        $systemdsystemunitdir/haveged-switch-root.service
    mkdir -p "$initdir/$systemdsystemunitdir/sysinit.target.wants"
    mkdir -p "$initdir/$systemdsystemunitdir/initrd-switch-root.target.wants"
    mkdir -p "$initdir/$systemdsystemunitdir/systemd-journald.service.wants"
    ln_r "$systemdsystemunitdir/haveged.service" "$systemdsystemunitdir/systemd-journald.service.wants/haveged.service"
    ln_r "$systemdsystemunitdir/haveged-switch-root.service" "$systemdsystemunitdir/initrd-switch-root.target.wants/haveged-switch-root.service"
 }
--- a/haveged-switch-root.patch
+++ b/haveged-switch-root.patch
@ -1,198 +0,0 @@
 From 6a6cf4de8e31981b0e8bd3e2cf37921a8a8d3d48 Mon Sep 17 00:00:00 2001
 From: Otto Hollmann <otto.hollmann@suse.com>
 Date: Mon, 14 Nov 2022 14:47:12 +0100
 Subject: [PATCH 1/2] Synchronize haveged instances during switching root
 ---
 src/havegecmd.c | 20 +++++++++++++++++---
 src/havegecmd.h |  2 ++
 src/haveged.c   | 28 ++++++++++++++++++++++++++++
 3 files changed, 47 insertions(+), 3 deletions(-)
 diff --git a/src/havegecmd.c b/src/havegecmd.c
 index 06a2367..e87767e 100644
 --- a/src/havegecmd.c
 +++ b/src/havegecmd.c
@@ -39,6 +39,7 @@
 #include <sys/stat.h>
 #include <sys/un.h>
 #include <unistd.h>
 +#include <semaphore.h>
 #ifndef HAVE_STRUCT_UCRED
 struct ucred
@@ -54,6 +55,7 @@ struct ucred
 int first_byte;
 int socket_fd;
 static char errmsg[1024];
 +extern  sem_t *sem;
 static int new_root(               /* RETURN: status                        */
    const char *root,               /* IN: path of the new root file system  */
@@ -95,6 +97,7 @@ static int new_root(               /* RETURN: status                        */
                strerror(errno));
       goto err;
       }
 +   sem_close(sem);
    ret = execv((const char *)path, argv);
    if (ret < 0) {
       snprintf(&errmsg[0], sizeof(errmsg)-1,
@@ -265,8 +268,14 @@ int socket_handler(                /* RETURN: closed file descriptor        */
       }
    if (magic[1] == '\002') {       /* ASCII start of text: read argument provided */
 -      uint32_t alen;
 -
 +      uint32_t alen = 0;
 +
 +      /*
 +       * wait for the haveged -c instance to finish writting
 +       * before continuing to read from the socket
 +       */
 +      sem_wait(sem);
 +      sem_post(sem);
       ret = receive_uinteger(fd, &alen);
       if (ret < 0) {
          print_msg("%s: can not read from UNIX socket\n", params->daemon);
@@ -285,6 +294,11 @@ int socket_handler(                /* RETURN: closed file descriptor        */
          print_msg("%s: can not read from UNIX socket\n", params->daemon);
          goto out;
          }
 +      /*
 +       * We no more need the semaphore unlink it
 +       * Not sure if it is the best place to unlink here
 +       */
 +      sem_unlink(SEM_NAME);
       }
    clen = sizeof(struct ucred);
@@ -444,7 +458,7 @@ int receive_uinteger(              /* RETURN: status                        */
    int fd,                         /* IN: file descriptor                   */
    uint32_t *value)                /* OUT: 32 bit unsigned integer          */
 {
 -   uint8_t buffer[4];
 +   uint8_t buffer[4] = {0};
    if (safein(fd, buffer, 4 * sizeof(uint8_t)) < 0)
       return -1;
 diff --git a/src/havegecmd.h b/src/havegecmd.h
 index 7765334..2f6fa96 100644
 --- a/src/havegecmd.h
 +++ b/src/havegecmd.h
@@ -49,6 +49,8 @@ extern "C" {
 #define SOCK_NONBLOCK 0
 #endif
 +#define SEM_NAME "haveged_sem"
 +
 /**
  * Open and listen on a UNIX socket to get command from there
  */
 diff --git a/src/haveged.c b/src/haveged.c
 index f668968..02c6c81 100644
 --- a/src/haveged.c
 +++ b/src/haveged.c
@@ -34,6 +34,7 @@
 #include <sys/stat.h>
 #include <unistd.h>
 #include <time.h>
 +#include <semaphore.h>
 #ifndef NO_DAEMON
 #include <syslog.h>
@@ -131,6 +132,8 @@ static void usage(int db, int nopts, struct option *long_options, const char **c
 static sigset_t mask, omask;
 +sem_t *sem = NULL;
 +
 #define  ATOU(a)     (unsigned int)atoi(a)
 /**
  * Entry point
@@ -360,6 +363,15 @@ int main(int argc, char **argv)
       fd_set read_fd;
       sigset_t block;
 +      /* init semaphore */
 +      sem = sem_open(SEM_NAME, 0);
 +      if (sem == NULL) {
 +         print_msg("sem_open() failed \n");
 +         print_msg("Error : %s \n", strerror(errno));
 +         ret = -1;
 +         goto err;
 +         }
 +
       socket_fd = cmd_connect(params);
       if (socket_fd < 0) {
          ret = -1;
@@ -377,9 +389,19 @@ int main(int argc, char **argv)
             root = optarg;
             size = (uint32_t)strlen(root)+1;
             cmd[1] = '\002';
 +            /*
 +             * Synchronise haveged -c instance and daemon instance
 +             * prevent daemon instance from readin messages
 +             * from the socket until the -c instance finish writting
 +             */
 +            sem_wait(sem);
             safeout(socket_fd, &cmd[0], 2);
             send_uinteger(socket_fd, size);
             safeout(socket_fd, root, size);
 +            /*
 +             * unblock the daemon instance as we finished writting
 +             */
 +            sem_post(sem);
             break;
          case MAGIC_CLOSE:
             ptr = &cmd[0];
@@ -440,6 +462,7 @@ int main(int argc, char **argv)
          }
    err:
       close(socket_fd);
 +      sem_close(sem);
       return ret;
       }
    else if (!(params->setup & RUN_AS_APP)){
@@ -455,6 +478,11 @@ int main(int argc, char **argv)
             fprintf(stderr, "%s: disabling command mode for this instance\n", params->daemon);
          }
       }
 +      /* Initilize named semaphore to synchronize command isntances */
 +      sem = sem_open(SEM_NAME, O_CREAT, 0644, 1);
 +      if (sem == NULL) {
 +         error_exit("Couldn't create nammed semaphore " SEM_NAME" error: %s", strerror(errno));
 +      }
     }
 #endif
    if (params->tests_config == 0)
 From 55dd6b7dc851df3ccf5e52019537f420e32450dd Mon Sep 17 00:00:00 2001
 From: Otto Hollmann <otto.hollmann@suse.com>
 Date: Mon, 21 Nov 2022 13:01:53 +0100
 Subject: [PATCH 2/2] Link with -pthread
 ---
 configure.ac | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)
 diff --git a/configure.ac b/configure.ac
 index 99451c9..ff1cbaa 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -10,7 +10,7 @@ AC_CONFIG_HEADER([config.h])
 AM_INIT_AUTOMAKE([subdir-objects no-dependencies])
 AC_CONFIG_SRCDIR([src/haveged.c])
 AC_CHECK_TYPES([uint32_t, uint8_t])
 -HA_LDFLAGS=""
 +HA_LDFLAGS="-pthread"
 ##libtool_start##
 LT_INIT
@@ -73,7 +73,6 @@ AC_ARG_ENABLE(threads,
    , enable_threads="no")
 if test "x$enable_threads" = "xyes"; then
    AC_DEFINE(NUMBER_CORES, 4, [Define maxium number of collection threads])
 -   HA_LDFLAGS="-pthread"
 else
    AC_DEFINE(NUMBER_CORES, 1, [Define to single collection thread])
 fi
--- a/haveged-switch-root.service
+++ b/haveged-switch-root.service
@ -1,30 +0,0 @@
 [Unit]
 Description=Tell haveged about new root
 DefaultDependencies=no
 ConditionKernelVersion=<5.6
 ConditionPathExists=/etc/initrd-release
 Before=initrd-switch-root.service
 JoinsNamespaceOf=haveged.service
 [Service]
 ExecStart=-/usr/sbin/haveged -c root=/sysroot
 PrivateNetwork=yes
 # added automatically, for details please see
 # https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
 ProtectSystem=full
 ProtectHome=true
 PrivateDevices=true
 ProtectHostname=true
 ProtectClock=true
 ProtectKernelModules=true
 ProtectKernelLogs=true
 ProtectControlGroups=true
 RestrictRealtime=true
 # end of automatic additions 
 Type=oneshot
 StandardInput=null
 StandardOutput=null
 StandardError=null
 [Install]
 WantedBy=initrd-switch-root.target
--- a/haveged.changes
+++ b/haveged.changes
@ -1,3 +1,16 @@
 -------------------------------------------------------------------
 Fri Oct 27 13:04:10 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
 - Remove haveged-switch-root.service because it's implemented incorrectly and
  neither upstream don't know how to fix it (#77). On the other hand, without
  this service haveged will be started from scratch after switch root so it's
  hopefully no big deal. Also remove patch for bsc#1203079 as it's considered
  as a security threat because of creating fixed name file in world-writable
  directory. [jsc#PED-6184, bsc#1206699]
  * Remove
    - haveged-switch-root.service
    - haveged-switch-root.patch
 -------------------------------------------------------------------
 Fri Dec  2 12:24:35 UTC 2022 - Otto Hollmann <otto.hollmann@suse.com>
--- a/haveged.spec
+++ b/haveged.spec
@ -1,7 +1,7 @@
 #
 # spec file for package haveged
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -28,13 +28,10 @@ Source0:        https://github.com/jirka-h/haveged/archive/v%{version}.tar.gz#/%
 Source2:        %{name}.service
 Source3:        90-haveged.rules
 Source4:        haveged-dracut.module
 Source5:        %{name}-switch-root.service
 Patch0:         ppc64le.patch
 # PATCH-FIX-UPSTREAM: don't write to syslog at startup to avoid deadlocks psimons@suse.com bnc#959237
 Patch2:         haveged-no-syslog.patch
 Patch3:         harden_haveged.service.patch
 # PATCH-FIX-UPSTREAM: Synchronize haveged instances during switching root bsc#1203079
 Patch4:         haveged-switch-root.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  libtool
@ -110,8 +107,6 @@ install -Dpm 0644 %{SOURCE2} \
  %{buildroot}%{_unitdir}/%{name}.service
 install -Dpm 0644 %{SOURCE3} \
  %{buildroot}%{_udevrulesdir}/90-%{name}.rules
 install -Dpm 0644 %{SOURCE5} \
  %{buildroot}%{_unitdir}/%{name}-switch-root.service
 install -Dpm 0755 %{SOURCE4} \
  %{buildroot}%{_prefix}/lib/dracut/modules.d/98%{name}/module-setup.sh
 rm -f %{buildroot}%{_libdir}/libhavege.*a
@ -120,12 +115,10 @@ ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}
 %post
 %{?udev_rules_update:%udev_rules_update}
 %service_add_post %{name}.service
 %service_add_post %{name}-switch-root.service
 %{?regenerate_initrd_post}
 %postun
 %service_del_postun %{name}.service
 %service_del_postun %{name}-switch-root.service
 %{?regenerate_initrd_post}
 %posttrans
@ -133,11 +126,9 @@ ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}
 %pre
 %service_add_pre %{name}.service
 %service_add_pre %{name}-switch-root.service
 %preun
 %service_del_preun %{name}.service
 %service_del_preun %{name}-switch-root.service
 %post -n libhavege2 -p /sbin/ldconfig
 %postun -n libhavege2 -p /sbin/ldconfig
@ -148,7 +139,6 @@ ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}
 %{_sbindir}/%{name}
 %{_mandir}/man8/%{name}.8%{?ext_man}
 %{_unitdir}/%{name}.service
 %{_unitdir}/%{name}-switch-root.service
 %{_udevrulesdir}/90-%{name}.rules
 %dir %{_prefix}/lib/dracut
 %dir %{_prefix}/lib/dracut/modules.d