From 4c9c8b8d09eff18df71ba4aa910df4201f9890a0 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 1 Nov 2024 10:03:26 +0100
Subject: [PATCH 1/2] coredump: lock down EnterNamespace= mount even more

Let's disable symlink following if we attach a container's mount tree to
our own mount namespace. We afte rall mount the tree to a different
location in the mount tree than where it was inside the container, hence
symlinks (if they exist) will all point to the wrong places (even if
relative, some might point to other places). And since symlink attacks
are a thing, and we let libdw operate on the tree, let's lock this down
as much as we can and simply disable symlink traversal entirely.
---
 src/coredump/coredump.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c
index c3e97325e0..7782839c2d 100644
--- a/src/coredump/coredump.c
+++ b/src/coredump/coredump.c
@@ -824,7 +824,7 @@ static int attach_mount_tree(int mount_tree_fd) {
 
         r = mount_setattr(mount_tree_fd, "", AT_EMPTY_PATH,
                                 &(struct mount_attr) {
-                                        .attr_set = MOUNT_ATTR_RDONLY|MOUNT_ATTR_NOSUID|MOUNT_ATTR_NODEV|MOUNT_ATTR_NOEXEC,
+                                        .attr_set = MOUNT_ATTR_RDONLY|MOUNT_ATTR_NOSUID|MOUNT_ATTR_NODEV|MOUNT_ATTR_NOEXEC|MOUNT_ATTR_NOSYMFOLLOW,
                                         .propagation = MS_SLAVE,
                                 }, sizeof(struct mount_attr));
         if (r < 0)

From 00f7398049c45db562c4c0aa611e55cf7375d499 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 1 Nov 2024 10:05:32 +0100
Subject: [PATCH 2/2] =?UTF-8?q?coredump:=20rename=20gather=5Fpid=5Fmount?=
 =?UTF-8?q?=5Ftree=5Ffd()=20=E2=86=92=20acquire=5Fpid=5Fmount=5Ftree=5Ffd(?=
 =?UTF-8?q?)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

From my understanding of the english language "gather" imples there are
multiple things to gather. But here there's only one, hence use
"acquire"
---
 src/coredump/coredump.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c
index 7782839c2d..6970a6a898 100644
--- a/src/coredump/coredump.c
+++ b/src/coredump/coredump.c
@@ -1688,7 +1688,7 @@ static int forward_coredump_to_container(Context *context) {
         return 0;
 }
 
-static int gather_pid_mount_tree_fd(const Context *context, int *ret_fd) {
+static int acquire_pid_mount_tree_fd(const Context *context, int *ret_fd) {
         /* Don't bother preparing environment if we can't pass it to libdwfl. */
 #if !HAVE_DWFL_SET_SYSROOT
         *ret_fd = -EOPNOTSUPP;
@@ -1809,7 +1809,7 @@ static int process_kernel(int argc, char* argv[]) {
                 if (r >= 0)
                         return 0;
 
-                r = gather_pid_mount_tree_fd(&context, &context.mount_tree_fd);
+                r = acquire_pid_mount_tree_fd(&context, &context.mount_tree_fd);
                 if (r < 0)
                         log_warning_errno(r, "Failed to access the mount tree of a container, ignoring: %m");
         }