upstart: Apply nosymfollow to /tmp
Symlinks can be used in the /tmp folder to trick crash_reporter into
deleting arbitrary files.
Mount the /tmp folder with nosymfollow flag to prevent an attacker with
write access to /tmp from confusing and redirecting code that uses
/tmp.
BUG=b:235148382
TEST=verify that /tmp remounted with nosymfollow
Cq-Depend: chromium:3785359
Change-Id: I031fed6c6917228a2141da3fce7f5bc44b8ad670
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/upstart/+/3783196
Reviewed-by: Jason Ling <jasonling@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Queue: Ryan Borzello <rborzello@chromium.org>
Reviewed-by: Sarthak Kukreti <sarthakkukreti@chromium.org>
Tested-by: Ryan Borzello <rborzello@chromium.org>
Owners-Override: Andres Calderon Jaramillo <andrescj@google.com>
diff --git a/init/main.c b/init/main.c
index 881f43d..19c33b6 100644
--- a/init/main.c
+++ b/init/main.c
@@ -91,6 +91,13 @@
static void usr1_handler (void *data, NihSignal *signal);
#endif /* DEBUG */
+// TODO(b/235960683): Drop this after CrOS upgrades to glibc >= 2.34
+// because MS_NOSYMFOLLOW will be defined in sys/mount.h
+#ifndef MS_NOSYMFOLLOW
+// Added locally in kernels 4.x+.
+#define MS_NOSYMFOLLOW 256
+#endif
+
#ifdef HAVE_SELINUX
static int initialize_selinux (void);
#endif
@@ -273,7 +280,8 @@
nih_free (err);
}
- if (system_mount ("tmpfs", "/tmp", MS_NOSUID | MS_NODEV | MS_NOEXEC,
+ if (system_mount ("tmpfs", "/tmp",
+ MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_NOSYMFOLLOW,
NULL) < 0) {
NihError *err;
