From 6295ab1cea325a25c854451594640c7ceefa9efcfd9864ee46403f2c478fdee3 Mon Sep 17 00:00:00 2001 From: Stanislav Brabec Date: Fri, 1 Mar 2019 20:19:58 +0000 Subject: [PATCH 1/3] Accepting request 677957 from home:mwilck:branches:Base:System - libmount: remove jffs2 and ubifs from blacklist (jsc#SLE-4085). - libmount: print a blacklist hint for "unknown filesystem type" (jsc#SLE-4085, fate#326832), and add documentation * add libmount-print-a-blacklist-hint-for-unknown-filesyst.patch * add Add-documentation-on-blacklisted-modules-to-mount-8-.patch OBS-URL: https://build.opensuse.org/request/show/677957 OBS-URL: https://build.opensuse.org/package/show/Base:System/util-linux?expand=0&rev=394 --- ...n-on-blacklisted-modules-to-mount-8-.patch | 50 ++++++++++++ ...-blacklist-hint-for-unknown-filesyst.patch | 78 +++++++++++++++++++ python3-libmount.spec | 3 +- util-linux.changes | 13 ++++ util-linux.spec | 4 + 5 files changed, 147 insertions(+), 1 deletion(-) create mode 100644 Add-documentation-on-blacklisted-modules-to-mount-8-.patch create mode 100644 libmount-print-a-blacklist-hint-for-unknown-filesyst.patch diff --git a/Add-documentation-on-blacklisted-modules-to-mount-8-.patch b/Add-documentation-on-blacklisted-modules-to-mount-8-.patch new file mode 100644 index 0000000..712e948 --- /dev/null +++ b/Add-documentation-on-blacklisted-modules-to-mount-8-.patch @@ -0,0 +1,50 @@ +From 1ade50a36f23fc35abb465aa5b7cfc73b2476328 Mon Sep 17 00:00:00 2001 +From: Martin Wilck +Date: Fri, 1 Feb 2019 12:09:11 +0100 +Subject: [PATCH] Add documentation on blacklisted modules to mount(8) man page + +Signed-off-by: Martin Wilck +--- + sys-utils/mount.8 | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +diff --git a/sys-utils/mount.8 b/sys-utils/mount.8 +index da0ac5b..c231e12 100644 +--- a/sys-utils/mount.8 ++++ b/sys-utils/mount.8 +@@ -338,6 +338,32 @@ The + option is similar, with the restriction that the user must be + member of the group of the special file. + ++.SS Blacklisted file systems ++In the Linux kernel, file system types are implemented as kernel ++modules. While many of these file systems are well maintained, ++some of the older and less frequently used ones are not. This ++poses a security risk, because maliciously crafted file system ++images might open security holes when mounted either automatically ++or by an inadvertent user. The ++.B mount ++command prints "unsupported file system type 'somefs'" in this case, ++because it can't distinguish between a really unsupported file system ++(kernel module non-existent) and a blacklisted file system. ++ ++Users who need the blacklisted file systems and therefore want ++to override the blacklisting can either load the blacklisted module ++directly: ++.RS ++ ++.br ++.BI "modprobe -v" " somefs" ++.br ++ ++.RE ++or override the blacklist configuration by editing files under the ++.I /etc/modprobe.d ++directory. ++ + .SS Bind mount operation + Remount part of the file hierarchy somewhere else. The call is: + +-- +2.19.2 + diff --git a/libmount-print-a-blacklist-hint-for-unknown-filesyst.patch b/libmount-print-a-blacklist-hint-for-unknown-filesyst.patch new file mode 100644 index 0000000..d5a3e6c --- /dev/null +++ b/libmount-print-a-blacklist-hint-for-unknown-filesyst.patch @@ -0,0 +1,78 @@ +From 199ae08b4df09ec4ce9d82584664e61bcb7ab91a Mon Sep 17 00:00:00 2001 +From: Martin Wilck +Date: Fri, 1 Feb 2019 11:36:42 +0100 +Subject: [PATCH 1/2] libmount: print a blacklist hint for "unknown filesystem + type" + +SUSE blacklists kernel modules for some old, poorly maintained +file systems by default for security reasons. Provide a hopefully +helpful message to users if mounting a possibly blacklisted file +system fails. + +Signed-off-by: Martin Wilck +--- + libmount/src/context_mount.c | 41 ++++++++++++++++++++++++++++++++---- + 1 file changed, 37 insertions(+), 4 deletions(-) + +diff --git a/libmount/src/context_mount.c b/libmount/src/context_mount.c +index f914c9b..a48483f 100644 +--- a/libmount/src/context_mount.c ++++ b/libmount/src/context_mount.c +@@ -1423,6 +1423,32 @@ done: + return rc; + } + ++/* ++ * SUSE blacklists kernel modules for some old, poorly maintained ++ * file systems by default for security reasons. ++ * A set of blacklist files is maintained under /etc/modprobe.d, ++ * in the suse-module-tools package. ++ * Blacklisted file system modules will cause mount(2) to fail ++ * with -ENODEV. ++ * If this happens for one of the blacklisted file systems, provide ++ * a hint to the user where to look. ++ */ ++static int is_maybe_blacklisted(const char *fstype) ++{ ++ static const char *const fs_blacklist[] = { ++ "adfs", "affs", "bfs", "befs", "cramfs", "efs", "erofs", ++ "exofs", "freevxfs", "f2fs", "hfs", "hpfs", ++ "jfs", "minix", "nilfs2", "ntfs", "omfs", "qnx4", "qnx6", ++ "sysv", "ufs" ++ }; ++ size_t i; ++ ++ for (i = 0; i < sizeof(fs_blacklist)/sizeof(*fs_blacklist); i++) ++ if (!strcmp(fs_blacklist[i], fstype)) ++ return 1; ++ return 0; ++} ++ + int mnt_context_get_mount_excode( + struct libmnt_context *cxt, + int rc, +@@ -1670,10 +1696,17 @@ int mnt_context_get_mount_excode( + case ENODEV: + if (!buf) + break; +- if (mnt_context_get_fstype(cxt)) +- snprintf(buf, bufsz, _("unknown filesystem type '%s'"), +- mnt_context_get_fstype(cxt)); +- else ++ if (mnt_context_get_fstype(cxt)) { ++ size_t n; ++ ++ n = snprintf(buf, bufsz, ++ _("unknown filesystem type '%s'"), ++ mnt_context_get_fstype(cxt)); ++ if (n < bufsz && ++ is_maybe_blacklisted(mnt_context_get_fstype(cxt))) ++ snprintf(buf + n, bufsz - n, ++ " (hint: possibly blacklisted, see mount(8))"); ++ } else + snprintf(buf, bufsz, _("unknown filesystem type")); + break; + +-- +2.19.2 + diff --git a/python3-libmount.spec b/python3-libmount.spec index f5c3b78..6b4651b 100644 --- a/python3-libmount.spec +++ b/python3-libmount.spec @@ -73,7 +73,7 @@ Name: python3-libmount %endif Summary: %main_summary License: GPL-2.0-or-later -Group: %main_group +Group: %group_pl BuildRequires: audit-devel BuildRequires: bc BuildRequires: binutils-devel @@ -366,6 +366,7 @@ SMP systems. %if %build_util_linux %package -n python3-libmount Summary: %summary_pl +License: GPL-2.0-or-later Group: %group_pl %description -n python3-libmount diff --git a/util-linux.changes b/util-linux.changes index 0cfeca5..53cd31d 100644 --- a/util-linux.changes +++ b/util-linux.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Thu Feb 21 10:36:48 UTC 2019 - Martin Wilck + +- libmount: remove jffs2 and ubifs from blacklist (jsc#SLE-4085). + +------------------------------------------------------------------- +Thu Feb 7 14:28:37 UTC 2019 - Martin Wilck + +- libmount: print a blacklist hint for "unknown filesystem type" + (jsc#SLE-4085, fate#326832), and add documentation + * add libmount-print-a-blacklist-hint-for-unknown-filesyst.patch + * add Add-documentation-on-blacklisted-modules-to-mount-8-.patch + ------------------------------------------------------------------- Tue Jan 22 22:29:00 CET 2019 - sbrabec@suse.com diff --git a/util-linux.spec b/util-linux.spec index d6133d4..8c6945e 100644 --- a/util-linux.spec +++ b/util-linux.spec @@ -143,6 +143,8 @@ Source16: su-l.pamd Source51: blkid.conf # PATCH-EXTEND-UPSTREAM: Let `su' handle /sbin and /usr/sbin in path Patch0: make-sure-sbin-resp-usr-sbin-are-in-PATH.diff +Patch1: libmount-print-a-blacklist-hint-for-unknown-filesyst.patch +Patch2: Add-documentation-on-blacklisted-modules-to-mount-8-.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build # %if %build_util_linux @@ -379,6 +381,8 @@ library. %prep %setup -q -n %{_name}-%{version} %patch0 -p1 +%patch1 -p1 +%patch2 -p1 %build %if %build_util_linux From a47afa8bba46478dff9f0e4bb2c4704a9cefc06e6ebac2939193b4ff67f61143 Mon Sep 17 00:00:00 2001 From: Stanislav Brabec Date: Mon, 4 Mar 2019 14:28:19 +0000 Subject: [PATCH 2/3] Accepting request 681470 from home:sbrabec:branches:util-linux-login-b1081947 - Integrate pam_keyinit pam module to login (boo#1081947, login.pamd, remote.pamd). - libmount: remove jffs2 and ubifs from blacklist (jsc#SLE-4085). - libmount: print a blacklist hint for "unknown filesystem type" (jsc#SLE-4085, fate#326832), and add documentation * add libmount-print-a-blacklist-hint-for-unknown-filesyst.patch * add Add-documentation-on-blacklisted-modules-to-mount-8-.patch OBS-URL: https://build.opensuse.org/request/show/681470 OBS-URL: https://build.opensuse.org/package/show/Base:System/util-linux?expand=0&rev=395 --- login.pamd | 1 + python3-libmount.changes | 19 +++++++++++++++++++ python3-libmount.spec | 7 +++++-- remote.pamd | 1 + util-linux-systemd.changes | 19 +++++++++++++++++++ util-linux-systemd.spec | 4 ++++ util-linux.changes | 6 ++++++ 7 files changed, 55 insertions(+), 2 deletions(-) diff --git a/login.pamd b/login.pamd index 93fc60e..0e774a7 100644 --- a/login.pamd +++ b/login.pamd @@ -4,6 +4,7 @@ auth include common-auth account include common-account password include common-password session required pam_loginuid.so +session optional pam_keyinit.so force revoke session include common-session #session optional pam_lastlog.so nowtmp showfailed session optional pam_mail.so standard diff --git a/python3-libmount.changes b/python3-libmount.changes index 0cfeca5..cc0ebab 100644 --- a/python3-libmount.changes +++ b/python3-libmount.changes @@ -1,3 +1,22 @@ +------------------------------------------------------------------- +Mon Mar 4 15:23:27 CET 2019 - sbrabec@suse.com + +- Integrate pam_keyinit pam module to login + (boo#1081947, login.pamd, remote.pamd). + +------------------------------------------------------------------- +Thu Feb 21 10:36:48 UTC 2019 - Martin Wilck + +- libmount: remove jffs2 and ubifs from blacklist (jsc#SLE-4085). + +------------------------------------------------------------------- +Thu Feb 7 14:28:37 UTC 2019 - Martin Wilck + +- libmount: print a blacklist hint for "unknown filesystem type" + (jsc#SLE-4085, fate#326832), and add documentation + * add libmount-print-a-blacklist-hint-for-unknown-filesyst.patch + * add Add-documentation-on-blacklisted-modules-to-mount-8-.patch + ------------------------------------------------------------------- Tue Jan 22 22:29:00 CET 2019 - sbrabec@suse.com diff --git a/python3-libmount.spec b/python3-libmount.spec index 6b4651b..211bcda 100644 --- a/python3-libmount.spec +++ b/python3-libmount.spec @@ -73,7 +73,7 @@ Name: python3-libmount %endif Summary: %main_summary License: GPL-2.0-or-later -Group: %group_pl +Group: %main_group BuildRequires: audit-devel BuildRequires: bc BuildRequires: binutils-devel @@ -143,6 +143,8 @@ Source16: su-l.pamd Source51: blkid.conf # PATCH-EXTEND-UPSTREAM: Let `su' handle /sbin and /usr/sbin in path Patch0: make-sure-sbin-resp-usr-sbin-are-in-PATH.diff +Patch1: libmount-print-a-blacklist-hint-for-unknown-filesyst.patch +Patch2: Add-documentation-on-blacklisted-modules-to-mount-8-.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build # %if %build_util_linux @@ -366,7 +368,6 @@ SMP systems. %if %build_util_linux %package -n python3-libmount Summary: %summary_pl -License: GPL-2.0-or-later Group: %group_pl %description -n python3-libmount @@ -380,6 +381,8 @@ library. %prep %setup -q -n %{_name}-%{version} %patch0 -p1 +%patch1 -p1 +%patch2 -p1 %build %if %build_util_linux diff --git a/remote.pamd b/remote.pamd index 4dd900b..c74ab91 100644 --- a/remote.pamd +++ b/remote.pamd @@ -7,6 +7,7 @@ auth include common-auth account include common-account password include common-password session required pam_loginuid.so +session optional pam_keyinit.so force revoke session include common-session session optional pam_lastlog.so nowtmp showfailed session optional pam_mail.so standard diff --git a/util-linux-systemd.changes b/util-linux-systemd.changes index 0cfeca5..cc0ebab 100644 --- a/util-linux-systemd.changes +++ b/util-linux-systemd.changes @@ -1,3 +1,22 @@ +------------------------------------------------------------------- +Mon Mar 4 15:23:27 CET 2019 - sbrabec@suse.com + +- Integrate pam_keyinit pam module to login + (boo#1081947, login.pamd, remote.pamd). + +------------------------------------------------------------------- +Thu Feb 21 10:36:48 UTC 2019 - Martin Wilck + +- libmount: remove jffs2 and ubifs from blacklist (jsc#SLE-4085). + +------------------------------------------------------------------- +Thu Feb 7 14:28:37 UTC 2019 - Martin Wilck + +- libmount: print a blacklist hint for "unknown filesystem type" + (jsc#SLE-4085, fate#326832), and add documentation + * add libmount-print-a-blacklist-hint-for-unknown-filesyst.patch + * add Add-documentation-on-blacklisted-modules-to-mount-8-.patch + ------------------------------------------------------------------- Tue Jan 22 22:29:00 CET 2019 - sbrabec@suse.com diff --git a/util-linux-systemd.spec b/util-linux-systemd.spec index 6034a1b..d362767 100644 --- a/util-linux-systemd.spec +++ b/util-linux-systemd.spec @@ -143,6 +143,8 @@ Source16: su-l.pamd Source51: blkid.conf # PATCH-EXTEND-UPSTREAM: Let `su' handle /sbin and /usr/sbin in path Patch0: make-sure-sbin-resp-usr-sbin-are-in-PATH.diff +Patch1: libmount-print-a-blacklist-hint-for-unknown-filesyst.patch +Patch2: Add-documentation-on-blacklisted-modules-to-mount-8-.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build # %if %build_util_linux @@ -379,6 +381,8 @@ library. %prep %setup -q -n %{_name}-%{version} %patch0 -p1 +%patch1 -p1 +%patch2 -p1 %build %if %build_util_linux diff --git a/util-linux.changes b/util-linux.changes index 53cd31d..cc0ebab 100644 --- a/util-linux.changes +++ b/util-linux.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Mar 4 15:23:27 CET 2019 - sbrabec@suse.com + +- Integrate pam_keyinit pam module to login + (boo#1081947, login.pamd, remote.pamd). + ------------------------------------------------------------------- Thu Feb 21 10:36:48 UTC 2019 - Martin Wilck From 686870baf89dbc44a514ef1c9850a2968c5dc245ebde6a1fcde63bd0b79f4c12 Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Tue, 5 Mar 2019 09:05:54 +0000 Subject: [PATCH 3/3] Accepting request 681415 from home:dimstar:Factory - Drop bc BuildRequires: not needed. OBS-URL: https://build.opensuse.org/request/show/681415 OBS-URL: https://build.opensuse.org/package/show/Base:System/util-linux?expand=0&rev=396 --- util-linux.changes | 5 +++++ util-linux.spec | 1 - 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/util-linux.changes b/util-linux.changes index cc0ebab..c862851 100644 --- a/util-linux.changes +++ b/util-linux.changes @@ -4,6 +4,11 @@ Mon Mar 4 15:23:27 CET 2019 - sbrabec@suse.com - Integrate pam_keyinit pam module to login (boo#1081947, login.pamd, remote.pamd). +------------------------------------------------------------------- +Mon Mar 4 13:00:08 UTC 2019 - Dominique Leuenberger + +- Drop bc BuildRequires: not needed. + ------------------------------------------------------------------- Thu Feb 21 10:36:48 UTC 2019 - Martin Wilck diff --git a/util-linux.spec b/util-linux.spec index 8c6945e..bfbf92e 100644 --- a/util-linux.spec +++ b/util-linux.spec @@ -75,7 +75,6 @@ Summary: %main_summary License: GPL-2.0-or-later Group: %main_group BuildRequires: audit-devel -BuildRequires: bc BuildRequires: binutils-devel BuildRequires: fdupes BuildRequires: gettext-devel