Accepting request 677957 from home:mwilck:branches:Base:System

- libmount: remove jffs2 and ubifs from blacklist (jsc#SLE-4085). - libmount: print a blacklist hint for "unknown filesystem type" (jsc#SLE-4085, fate#326832), and add documentation * add libmount-print-a-blacklist-hint-for-unknown-filesyst.patch * add Add-documentation-on-blacklisted-modules-to-mount-8-.patch OBS-URL: https://build.opensuse.org/request/show/677957 OBS-URL: https://build.opensuse.org/package/show/Base:System/util-linux?expand=0&rev=394
2019-03-01 20:19:58 +00:00 · 2019-03-01 20:19:58 +00:00 · 6295ab1cea
commit 6295ab1cea
parent a7ab3a33bc
5 changed files with 147 additions and 1 deletions
--- a/Add-documentation-on-blacklisted-modules-to-mount-8-.patch
+++ b/Add-documentation-on-blacklisted-modules-to-mount-8-.patch
@ -0,0 +1,50 @@
 From 1ade50a36f23fc35abb465aa5b7cfc73b2476328 Mon Sep 17 00:00:00 2001
 From: Martin Wilck <mwilck@suse.com>
 Date: Fri, 1 Feb 2019 12:09:11 +0100
 Subject: [PATCH] Add documentation on blacklisted modules to mount(8) man page
 Signed-off-by: Martin Wilck <mwilck@suse.com>
 ---
 sys-utils/mount.8 | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 diff --git a/sys-utils/mount.8 b/sys-utils/mount.8
 index da0ac5b..c231e12 100644
 --- a/sys-utils/mount.8
 +++ b/sys-utils/mount.8
@@ -338,6 +338,32 @@ The
 option is similar, with the restriction that the user must be
 member of the group of the special file.
 +.SS Blacklisted file systems
 +In the Linux kernel, file system types are implemented as kernel
 +modules. While many of these file systems are well maintained,
 +some of the older and less frequently used ones are not. This
 +poses a security risk, because maliciously crafted file system
 +images might open security holes when mounted either automatically
 +or by an inadvertent user. The
 +.B mount
 +command prints "unsupported file system type 'somefs'" in this case,
 +because it can't distinguish between a really unsupported file system
 +(kernel module non-existent) and a blacklisted file system.
 +
 +Users who need the blacklisted file systems and therefore want
 +to override the blacklisting can either load the blacklisted module
 +directly:
 +.RS
 +
 +.br
 +.BI "modprobe -v" " somefs"
 +.br
 +
 +.RE
 +or override the blacklist configuration by editing files under the
 +.I /etc/modprobe.d
 +directory.
 +
 .SS Bind mount operation
 Remount part of the file hierarchy somewhere else.  The call is:
 -- 
 2.19.2
--- a/libmount-print-a-blacklist-hint-for-unknown-filesyst.patch
+++ b/libmount-print-a-blacklist-hint-for-unknown-filesyst.patch
@ -0,0 +1,78 @@
 From 199ae08b4df09ec4ce9d82584664e61bcb7ab91a Mon Sep 17 00:00:00 2001
 From: Martin Wilck <mwilck@suse.com>
 Date: Fri, 1 Feb 2019 11:36:42 +0100
 Subject: [PATCH 1/2] libmount: print a blacklist hint for "unknown filesystem
 type"
 SUSE blacklists kernel modules for some old, poorly maintained
 file systems by default for security reasons. Provide a hopefully
 helpful message to users if mounting a possibly blacklisted file
 system fails.
 Signed-off-by: Martin Wilck <mwilck@suse.com>
 ---
 libmount/src/context_mount.c | 41 ++++++++++++++++++++++++++++++++----
 1 file changed, 37 insertions(+), 4 deletions(-)
 diff --git a/libmount/src/context_mount.c b/libmount/src/context_mount.c
 index f914c9b..a48483f 100644
 --- a/libmount/src/context_mount.c
 +++ b/libmount/src/context_mount.c
@@ -1423,6 +1423,32 @@ done:
 	return rc;
 }
 +/*
 + * SUSE blacklists kernel modules for some old, poorly maintained
 + * file systems by default for security reasons.
 + * A set of blacklist files is maintained under /etc/modprobe.d,
 + * in the suse-module-tools package.
 + * Blacklisted file system modules will cause mount(2) to fail
 + * with -ENODEV.
 + * If this happens for one of the blacklisted file systems, provide
 + * a hint to the user where to look.
 + */
 +static int is_maybe_blacklisted(const char *fstype)
 +{
 +	static const char *const fs_blacklist[] = {
 +		"adfs", "affs", "bfs", "befs", "cramfs", "efs", "erofs",
 +		"exofs", "freevxfs", "f2fs", "hfs", "hpfs",
 +		"jfs", "minix", "nilfs2", "ntfs", "omfs", "qnx4", "qnx6",
 +		"sysv", "ufs"
 +	};
 +	size_t i;
 +
 +	for (i = 0; i < sizeof(fs_blacklist)/sizeof(*fs_blacklist); i++)
 +		if (!strcmp(fs_blacklist[i], fstype))
 +			return 1;
 +	return 0;
 +}
 +
 int mnt_context_get_mount_excode(
 			struct libmnt_context *cxt,
 			int rc,
@@ -1670,10 +1696,17 @@ int mnt_context_get_mount_excode(
 	case ENODEV:
 		if (!buf)
 			break;
 -		if (mnt_context_get_fstype(cxt))
 -			snprintf(buf, bufsz, _("unknown filesystem type '%s'"),
 -					mnt_context_get_fstype(cxt));
 -		else
 +		if (mnt_context_get_fstype(cxt)) {
 +			size_t n;
 +
 +			n = snprintf(buf, bufsz,
 +				     _("unknown filesystem type '%s'"),
 +				     mnt_context_get_fstype(cxt));
 +			if (n < bufsz &&
 +			    is_maybe_blacklisted(mnt_context_get_fstype(cxt)))
 +				snprintf(buf + n, bufsz - n,
 +					 " (hint: possibly blacklisted, see mount(8))");
 +		} else
 			snprintf(buf, bufsz, _("unknown filesystem type"));
 		break;
 -- 
 2.19.2
--- a/python3-libmount.spec
+++ b/python3-libmount.spec
@ -73,7 +73,7 @@ Name:           python3-libmount
 %endif
 Summary:        %main_summary
 License:        GPL-2.0-or-later
-Group:          %main_group
+Group:          %group_pl
 BuildRequires:  audit-devel
 BuildRequires:  bc
 BuildRequires:  binutils-devel
@ -366,6 +366,7 @@ SMP systems.
 %if %build_util_linux
 %package -n python3-libmount
 Summary:        %summary_pl
 License:        GPL-2.0-or-later
 Group:          %group_pl
 %description -n python3-libmount
--- a/util-linux.changes
+++ b/util-linux.changes
@ -1,3 +1,16 @@
 -------------------------------------------------------------------
 Thu Feb 21 10:36:48 UTC 2019 - Martin Wilck <mwilck@suse.com>
 -  libmount: remove jffs2 and ubifs from blacklist (jsc#SLE-4085).
 -------------------------------------------------------------------
 Thu Feb  7 14:28:37 UTC 2019 - Martin Wilck <mwilck@suse.com>
 - libmount: print a blacklist hint for "unknown filesystem type"
  (jsc#SLE-4085, fate#326832), and add documentation
  * add libmount-print-a-blacklist-hint-for-unknown-filesyst.patch
  * add Add-documentation-on-blacklisted-modules-to-mount-8-.patch
 -------------------------------------------------------------------
 Tue Jan 22 22:29:00 CET 2019 - sbrabec@suse.com
--- a/util-linux.spec
+++ b/util-linux.spec
@ -143,6 +143,8 @@ Source16:       su-l.pamd
 Source51:       blkid.conf
 # PATCH-EXTEND-UPSTREAM: Let `su' handle /sbin and /usr/sbin in path
 Patch0:         make-sure-sbin-resp-usr-sbin-are-in-PATH.diff
 Patch1:         libmount-print-a-blacklist-hint-for-unknown-filesyst.patch
 Patch2:         Add-documentation-on-blacklisted-modules-to-mount-8-.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 #
 %if %build_util_linux
@ -379,6 +381,8 @@ library.
 %prep
 %setup -q -n %{_name}-%{version}
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
 %build
 %if %build_util_linux