pool/util-linux
SHA256
2
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 681652 from Base:System

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/681652
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/util-linux?expand=0&rev=236
This commit is contained in:
Dominique Leuenberger 2019-03-08 11:00:32 +00:00 committed by Git OBS Bridge
commit 7fe6edd83c
10 changed files with 204 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
Add-documentation-on-blacklisted-modules-to-mount-8-.patch Normal file
View File

@ -0,0 +1,50 @@
From 1ade50a36f23fc35abb465aa5b7cfc73b2476328 Mon Sep 17 00:00:00 2001
From: Martin Wilck <mwilck@suse.com>
Date: Fri, 1 Feb 2019 12:09:11 +0100
Subject: [PATCH] Add documentation on blacklisted modules to mount(8) man page
Signed-off-by: Martin Wilck <mwilck@suse.com>
---
sys-utils/mount.8 | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/sys-utils/mount.8 b/sys-utils/mount.8
index da0ac5b..c231e12 100644
--- a/sys-utils/mount.8
+++ b/sys-utils/mount.8
@@ -338,6 +338,32 @@ The
option is similar, with the restriction that the user must be
member of the group of the special file.
+.SS Blacklisted file systems
+In the Linux kernel, file system types are implemented as kernel
+modules. While many of these file systems are well maintained,
+some of the older and less frequently used ones are not. This
+poses a security risk, because maliciously crafted file system
+images might open security holes when mounted either automatically
+or by an inadvertent user. The
+.B mount
+command prints "unsupported file system type 'somefs'" in this case,
+because it can't distinguish between a really unsupported file system
+(kernel module non-existent) and a blacklisted file system.
+
+Users who need the blacklisted file systems and therefore want
+to override the blacklisting can either load the blacklisted module
+directly:
+.RS
+
+.br
+.BI "modprobe -v" " somefs"
+.br
+
+.RE
+or override the blacklist configuration by editing files under the
+.I /etc/modprobe.d
+directory.
+
.SS Bind mount operation
Remount part of the file hierarchy somewhere else. The call is:
--
2.19.2

78
libmount-print-a-blacklist-hint-for-unknown-filesyst.patch Normal file
View File

@ -0,0 +1,78 @@
From 199ae08b4df09ec4ce9d82584664e61bcb7ab91a Mon Sep 17 00:00:00 2001
From: Martin Wilck <mwilck@suse.com>
Date: Fri, 1 Feb 2019 11:36:42 +0100
Subject: [PATCH 1/2] libmount: print a blacklist hint for "unknown filesystem
type"
SUSE blacklists kernel modules for some old, poorly maintained
file systems by default for security reasons. Provide a hopefully
helpful message to users if mounting a possibly blacklisted file
system fails.
Signed-off-by: Martin Wilck <mwilck@suse.com>
---
libmount/src/context_mount.c | 41 ++++++++++++++++++++++++++++++++----
1 file changed, 37 insertions(+), 4 deletions(-)
diff --git a/libmount/src/context_mount.c b/libmount/src/context_mount.c
index f914c9b..a48483f 100644
--- a/libmount/src/context_mount.c
+++ b/libmount/src/context_mount.c
@@ -1423,6 +1423,32 @@ done:
return rc;
}
+/*
+ * SUSE blacklists kernel modules for some old, poorly maintained
+ * file systems by default for security reasons.
+ * A set of blacklist files is maintained under /etc/modprobe.d,
+ * in the suse-module-tools package.
+ * Blacklisted file system modules will cause mount(2) to fail
+ * with -ENODEV.
+ * If this happens for one of the blacklisted file systems, provide
+ * a hint to the user where to look.
+ */
+static int is_maybe_blacklisted(const char *fstype)
+{
+ static const char *const fs_blacklist[] = {
+ "adfs", "affs", "bfs", "befs", "cramfs", "efs", "erofs",
+ "exofs", "freevxfs", "f2fs", "hfs", "hpfs",
+ "jfs", "minix", "nilfs2", "ntfs", "omfs", "qnx4", "qnx6",
+ "sysv", "ufs"
+ };
+ size_t i;
+
+ for (i = 0; i < sizeof(fs_blacklist)/sizeof(*fs_blacklist); i++)
+ if (!strcmp(fs_blacklist[i], fstype))
+ return 1;
+ return 0;
+}
+
int mnt_context_get_mount_excode(
struct libmnt_context *cxt,
int rc,
@@ -1670,10 +1696,17 @@ int mnt_context_get_mount_excode(
case ENODEV:
if (!buf)
break;
- if (mnt_context_get_fstype(cxt))
- snprintf(buf, bufsz, _("unknown filesystem type '%s'"),
- mnt_context_get_fstype(cxt));
- else
+ if (mnt_context_get_fstype(cxt)) {
+ size_t n;
+
+ n = snprintf(buf, bufsz,
+ _("unknown filesystem type '%s'"),
+ mnt_context_get_fstype(cxt));
+ if (n < bufsz &&
+ is_maybe_blacklisted(mnt_context_get_fstype(cxt)))
+ snprintf(buf + n, bufsz - n,
+ " (hint: possibly blacklisted, see mount(8))");
+ } else
snprintf(buf, bufsz, _("unknown filesystem type"));
break;
--
2.19.2

1
login.pamd
View File

@ -4,6 +4,7 @@ auth include common-auth
account include common-account
password include common-password
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
session include common-session
#session optional pam_lastlog.so nowtmp showfailed
session optional pam_mail.so standard

19
python3-libmount.changes
View File

@ -1,3 +1,22 @@
-------------------------------------------------------------------
Mon Mar 4 15:23:27 CET 2019 - sbrabec@suse.com
- Integrate pam_keyinit pam module to login
(boo#1081947, login.pamd, remote.pamd).
-------------------------------------------------------------------
Thu Feb 21 10:36:48 UTC 2019 - Martin Wilck <mwilck@suse.com>
- libmount: remove jffs2 and ubifs from blacklist (jsc#SLE-4085).
-------------------------------------------------------------------
Thu Feb 7 14:28:37 UTC 2019 - Martin Wilck <mwilck@suse.com>
- libmount: print a blacklist hint for "unknown filesystem type"
(jsc#SLE-4085, fate#326832), and add documentation
* add libmount-print-a-blacklist-hint-for-unknown-filesyst.patch
* add Add-documentation-on-blacklisted-modules-to-mount-8-.patch
-------------------------------------------------------------------
Tue Jan 22 22:29:00 CET 2019 - sbrabec@suse.com

4
python3-libmount.spec
View File

@ -143,6 +143,8 @@ Source16: su-l.pamd
Source51: blkid.conf
# PATCH-EXTEND-UPSTREAM: Let `su' handle /sbin and /usr/sbin in path
Patch0: make-sure-sbin-resp-usr-sbin-are-in-PATH.diff
Patch1: libmount-print-a-blacklist-hint-for-unknown-filesyst.patch
Patch2: Add-documentation-on-blacklisted-modules-to-mount-8-.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
#
%if %build_util_linux
@ -379,6 +381,8 @@ library.
%prep
%setup -q -n %{_name}-%{version}
%patch0 -p1
%patch1 -p1
%patch2 -p1
%build
%if %build_util_linux

1
remote.pamd
View File

@ -7,6 +7,7 @@ auth include common-auth
account include common-account
password include common-password
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
session include common-session
session optional pam_lastlog.so nowtmp showfailed
session optional pam_mail.so standard

19
util-linux-systemd.changes
View File

@ -1,3 +1,22 @@
-------------------------------------------------------------------
Mon Mar 4 15:23:27 CET 2019 - sbrabec@suse.com
- Integrate pam_keyinit pam module to login
(boo#1081947, login.pamd, remote.pamd).
-------------------------------------------------------------------
Thu Feb 21 10:36:48 UTC 2019 - Martin Wilck <mwilck@suse.com>
- libmount: remove jffs2 and ubifs from blacklist (jsc#SLE-4085).
-------------------------------------------------------------------
Thu Feb 7 14:28:37 UTC 2019 - Martin Wilck <mwilck@suse.com>
- libmount: print a blacklist hint for "unknown filesystem type"
(jsc#SLE-4085, fate#326832), and add documentation
* add libmount-print-a-blacklist-hint-for-unknown-filesyst.patch
* add Add-documentation-on-blacklisted-modules-to-mount-8-.patch
-------------------------------------------------------------------
Tue Jan 22 22:29:00 CET 2019 - sbrabec@suse.com

4
util-linux-systemd.spec
View File

@ -143,6 +143,8 @@ Source16: su-l.pamd
Source51: blkid.conf
# PATCH-EXTEND-UPSTREAM: Let `su' handle /sbin and /usr/sbin in path
Patch0: make-sure-sbin-resp-usr-sbin-are-in-PATH.diff
Patch1: libmount-print-a-blacklist-hint-for-unknown-filesyst.patch
Patch2: Add-documentation-on-blacklisted-modules-to-mount-8-.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
#
%if %build_util_linux
@ -379,6 +381,8 @@ library.
%prep
%setup -q -n %{_name}-%{version}
%patch0 -p1
%patch1 -p1
%patch2 -p1
%build
%if %build_util_linux

24
util-linux.changes
View File

@ -1,3 +1,27 @@
-------------------------------------------------------------------
Mon Mar 4 15:23:27 CET 2019 - sbrabec@suse.com
- Integrate pam_keyinit pam module to login
(boo#1081947, login.pamd, remote.pamd).
-------------------------------------------------------------------
Mon Mar 4 13:00:08 UTC 2019 - Dominique Leuenberger <dimstar@opensuse.org>
- Drop bc BuildRequires: not needed.
-------------------------------------------------------------------
Thu Feb 21 10:36:48 UTC 2019 - Martin Wilck <mwilck@suse.com>
- libmount: remove jffs2 and ubifs from blacklist (jsc#SLE-4085).
-------------------------------------------------------------------
Thu Feb 7 14:28:37 UTC 2019 - Martin Wilck <mwilck@suse.com>
- libmount: print a blacklist hint for "unknown filesystem type"
(jsc#SLE-4085, fate#326832), and add documentation
* add libmount-print-a-blacklist-hint-for-unknown-filesyst.patch
* add Add-documentation-on-blacklisted-modules-to-mount-8-.patch
-------------------------------------------------------------------
Tue Jan 22 22:29:00 CET 2019 - sbrabec@suse.com

5
util-linux.spec
View File

@ -75,7 +75,6 @@ Summary: %main_summary
License: GPL-2.0-or-later
Group: %main_group
BuildRequires: audit-devel
BuildRequires: bc
BuildRequires: binutils-devel
BuildRequires: fdupes
BuildRequires: gettext-devel
@ -143,6 +142,8 @@ Source16: su-l.pamd
Source51: blkid.conf
# PATCH-EXTEND-UPSTREAM: Let `su' handle /sbin and /usr/sbin in path
Patch0: make-sure-sbin-resp-usr-sbin-are-in-PATH.diff
Patch1: libmount-print-a-blacklist-hint-for-unknown-filesyst.patch
Patch2: Add-documentation-on-blacklisted-modules-to-mount-8-.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
#
%if %build_util_linux
@ -379,6 +380,8 @@ library.
%prep
%setup -q -n %{_name}-%{version}
%patch0 -p1
%patch1 -p1
%patch2 -p1
%build
%if %build_util_linux