From cb57b930fa690ab79b3904846634681685e3470f Mon Sep 17 00:00:00 2001 From: Martin Wilck Date: Thu, 1 Sep 2022 19:21:30 +0200 Subject: [PATCH] multipath-tools: use /run instead of /dev/shm /dev/shm may have unsafe permissions. Use /run instead. Use systemd's tmpfiles.d mechanism to create /run/multipath early during boot. For backward compatibilty, make the runtime directory configurable via the "runtimedir" make variable. Signed-off-by: Martin Wilck Reviewed-by: Benjamin Marzinski CVE: CVE-2022-41973 Upstream-Status: Backport [https://github.com/opensvc/multipath-tools/commit/cb57b930fa690ab79b3904846634681685e3470f] Signed-off-by: Hitendra Prajapati --- .gitignore | 2 ++ Makefile.inc | 7 ++++++- libmultipath/defaults.h | 3 +-- multipath/Makefile | 11 ++++++++--- multipath/{multipath.rules => multipath.rules.in} | 4 ++-- multipath/tmpfiles.conf.in | 1 + 6 files changed, 20 insertions(+), 8 deletions(-) rename multipath/{multipath.rules => multipath.rules.in} (95%) create mode 100644 multipath/tmpfiles.conf.in diff --git a/.gitignore b/.gitignore index 9926756b..f90b0350 100644 --- a/.gitignore +++ b/.gitignore @@ -8,6 +8,8 @@ *.d kpartx/kpartx multipath/multipath +multipath/multipath.rules +multipath/tmpfiles.conf multipathd/multipathd mpathpersist/mpathpersist .nfs* diff --git a/Makefile.inc b/Makefile.inc index 4eb08eed..648f91b4 100644 --- a/Makefile.inc +++ b/Makefile.inc @@ -44,6 +44,7 @@ exec_prefix = $(prefix) usr_prefix = $(prefix) bindir = $(exec_prefix)/usr/sbin libudevdir = $(prefix)/$(SYSTEMDPATH)/udev +tmpfilesdir = $(prefix)/$(SYSTEMDPATH)/tmpfiles.d udevrulesdir = $(libudevdir)/rules.d multipathdir = $(TOPDIR)/libmultipath man8dir = $(prefix)/usr/share/man/man8 @@ -60,6 +61,7 @@ libdmmpdir = $(TOPDIR)/libdmmp nvmedir = $(TOPDIR)/libmultipath/nvme includedir = $(prefix)/usr/include pkgconfdir = $(usrlibdir)/pkgconfig +runtimedir := /$(RUN) GZIP = gzip -9 -c RM = rm -f @@ -95,7 +97,10 @@ OPTFLAGS += -Wextra -Wstrict-prototypes -Wformat=2 -Werror=implicit-int \ -Wno-unused-parameter -Werror=cast-qual \ -Werror=discarded-qualifiers -CPPFLAGS := -Wp,-D_FORTIFY_SOURCE=2 +CPPFLAGS := $(FORTIFY_OPT) \ + -DBIN_DIR=\"$(bindir)\" -DMULTIPATH_DIR=\"$(plugindir)\" -DRUN_DIR=\"${RUN}\" \ + -DRUNTIME_DIR=\"$(runtimedir)\" \ + -DCONFIG_DIR=\"$(configdir)\" -DEXTRAVERSION=\"$(EXTRAVERSION)\" -MMD -MP CFLAGS := $(OPTFLAGS) -DBIN_DIR=\"$(bindir)\" -DLIB_STRING=\"${LIB}\" -DRUN_DIR=\"${RUN}\" \ -MMD -MP $(CFLAGS) BIN_CFLAGS = -fPIE -DPIE diff --git a/libmultipath/defaults.h b/libmultipath/defaults.h index c2164c16..908e0ca3 100644 --- a/libmultipath/defaults.h +++ b/libmultipath/defaults.h @@ -64,8 +64,7 @@ #define DEFAULT_WWIDS_FILE "/etc/multipath/wwids" #define DEFAULT_PRKEYS_FILE "/etc/multipath/prkeys" #define DEFAULT_CONFIG_DIR "/etc/multipath/conf.d" -#define MULTIPATH_SHM_BASE "/dev/shm/multipath/" - +#define MULTIPATH_SHM_BASE RUNTIME_DIR "/multipath/" static inline char *set_default(char *str) { diff --git a/multipath/Makefile b/multipath/Makefile index e720c7f6..28976546 100644 --- a/multipath/Makefile +++ b/multipath/Makefile @@ -12,7 +12,7 @@ EXEC = multipath OBJS = main.o -all: $(EXEC) +all: $(EXEC) multipath.rules tmpfiles.conf $(EXEC): $(OBJS) $(multipathdir)/libmultipath.so $(mpathcmddir)/libmpathcmd.so $(CC) $(CFLAGS) $(OBJS) -o $(EXEC) $(LDFLAGS) $(LIBDEPS) @@ -26,7 +26,9 @@ install: $(INSTALL_PROGRAM) -m 755 mpathconf $(DESTDIR)$(bindir)/ $(INSTALL_PROGRAM) -d $(DESTDIR)$(udevrulesdir) $(INSTALL_PROGRAM) -m 644 11-dm-mpath.rules $(DESTDIR)$(udevrulesdir) - $(INSTALL_PROGRAM) -m 644 $(EXEC).rules $(DESTDIR)$(libudevdir)/rules.d/62-multipath.rules + $(INSTALL_PROGRAM) -m 644 multipath.rules $(DESTDIR)$(udevrulesdir)/56-multipath.rules + $(INSTALL_PROGRAM) -d $(DESTDIR)$(tmpfilesdir) + $(INSTALL_PROGRAM) -m 644 tmpfiles.conf $(DESTDIR)$(tmpfilesdir)/multipath.conf $(INSTALL_PROGRAM) -d $(DESTDIR)$(man8dir) $(INSTALL_PROGRAM) -m 644 $(EXEC).8.gz $(DESTDIR)$(man8dir) $(INSTALL_PROGRAM) -d $(DESTDIR)$(man5dir) @@ -43,9 +45,12 @@ uninstall: $(RM) $(DESTDIR)$(man8dir)/mpathconf.8.gz clean: dep_clean - $(RM) core *.o $(EXEC) *.gz + $(RM) core *.o $(EXEC) multipath.rules tmpfiles.conf include $(wildcard $(OBJS:.o=.d)) dep_clean: $(RM) $(OBJS:.o=.d) + +%: %.in + sed 's,@RUNTIME_DIR@,$(runtimedir),' $< >$@ diff --git a/multipath/multipath.rules b/multipath/multipath.rules.in similarity index 95% rename from multipath/multipath.rules rename to multipath/multipath.rules.in index 0486bf70..5fb499e6 100644 --- a/multipath/multipath.rules +++ b/multipath/multipath.rules.in @@ -1,8 +1,8 @@ # Set DM_MULTIPATH_DEVICE_PATH if the device should be handled by multipath SUBSYSTEM!="block", GOTO="end_mpath" KERNEL!="sd*|dasd*|nvme*", GOTO="end_mpath" -ACTION=="remove", TEST=="/dev/shm/multipath/find_multipaths/$major:$minor", \ - RUN+="/usr/bin/rm -f /dev/shm/multipath/find_multipaths/$major:$minor" +ACTION=="remove", TEST=="@RUNTIME_DIR@/multipath/find_multipaths/$major:$minor", \ + RUN+="/usr/bin/rm -f @RUNTIME_DIR@/multipath/find_multipaths/$major:$minor" ACTION!="add|change", GOTO="end_mpath" IMPORT{cmdline}="nompath" diff --git a/multipath/tmpfiles.conf.in b/multipath/tmpfiles.conf.in new file mode 100644 index 00000000..21be438a --- /dev/null +++ b/multipath/tmpfiles.conf.in @@ -0,0 +1 @@ +d @RUNTIME_DIR@/multipath 0700 root root - -- 2.25.1