Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:dspinella:branches:Base:System
systemd
1001-Temporarily-remove-mountfsd-nsresourced-ne...
Overview
Repositories
RPM Lint
Revisions
Requests
Users
Attributes
Meta
File 1001-Temporarily-remove-mountfsd-nsresourced-new-Polkit-a.patch of Package systemd
From dbe4e86dd799f94f54fc32b222e4c93aed76c5a2 Mon Sep 17 00:00:00 2001 From: Franck Bui <fbui@suse.com> Date: Mon, 20 Oct 2025 12:32:40 +0200 Subject: [PATCH 1/1] Temporarily remove mountfsd/nsresourced new Polkit actions introduced by v258 They must be validated by the security team, see bsc#1250898 and bsc#1250902. --- .../io.systemd.mount-file-system.policy | 72 ------------------- .../io.systemd.namespace-resource.policy | 64 ----------------- 2 files changed, 136 deletions(-) diff --git a/src/mountfsd/io.systemd.mount-file-system.policy b/src/mountfsd/io.systemd.mount-file-system.policy index 6100f7158f..6a151eb437 100644 --- a/src/mountfsd/io.systemd.mount-file-system.policy +++ b/src/mountfsd/io.systemd.mount-file-system.policy @@ -67,76 +67,4 @@ <annotate key="org.freedesktop.policykit.imply">io.systemd.mount-file-system.mount-image-privately</annotate> </action> - - <!-- Allow mounting directories into the host user namespace --> - <action id="io.systemd.mount-file-system.mount-directory"> - <!-- If the directory is owned by the user (or by the foreign UID range, with a parent - directory owned by the user), make little restrictions --> - <description gettext-domain="systemd">Allow mounting of directory</description> - <message gettext-domain="systemd">Authentication is required for an application to mount directory $(directory).</message> - <defaults> - <allow_any>auth_admin_keep</allow_any> - <allow_inactive>auth_admin_keep</allow_inactive> - <allow_active>yes</allow_active> - </defaults> - </action> - - <action id="io.systemd.mount-file-system.mount-untrusted-directory"> - <!-- If the directory is owned by an other user, require authentication --> - <description gettext-domain="systemd">Allow mounting of untrusted directory</description> - <message gettext-domain="systemd">Authentication is required for an application to mount directory $(directory) which is not owned by the user.</message> - <defaults> - <allow_any>auth_admin</allow_any> - <allow_inactive>auth_admin</allow_inactive> - <allow_active>auth_admin</allow_active> - </defaults> - - <annotate key="org.freedesktop.policykit.imply">io.systemd.mount-file-system.mount-directory</annotate> - </action> - - <!-- Allow mounting directories into a private user namespace --> - <action id="io.systemd.mount-file-system.mount-directory-privately"> - <description gettext-domain="systemd">Allow private mounting of directory</description> - <message gettext-domain="systemd">Authentication is required for an application to privately mount directory $(directory).</message> - <defaults> - <allow_any>yes</allow_any> - <allow_inactive>yes</allow_inactive> - <allow_active>yes</allow_active> - </defaults> - </action> - - <action id="io.systemd.mount-file-system.mount-untrusted-directory-privately"> - <description gettext-domain="systemd">Allow private mounting of untrusted directory</description> - <message gettext-domain="systemd">Authentication is required for an application to privately mount directory $(directory) which is not owned by the user.</message> - <defaults> - <allow_any>auth_admin</allow_any> - <allow_inactive>auth_admin</allow_inactive> - <allow_active>auth_admin</allow_active> - </defaults> - - <annotate key="org.freedesktop.policykit.imply">io.systemd.mount-file-system.mount-directory-privately</annotate> - </action> - - <!-- Allow making foreign UID range owned directories --> - <action id="io.systemd.mount-file-system.make-directory"> - <description gettext-domain="systemd">Allow creating directory owned by the foreign UID range</description> - <message gettext-domain="systemd">Authentication is required for an application to create $(directory) owned by the foreign UID range.</message> - <defaults> - <allow_any>yes</allow_any> - <allow_inactive>yes</allow_inactive> - <allow_active>yes</allow_active> - </defaults> - </action> - - <action id="io.systemd.mount-file-system.make-directory-untrusted"> - <description gettext-domain="systemd">Allow creating directory owned by the foreign UID range below directory not owned by the user</description> - <message gettext-domain="systemd">Authentication is required for an application to create $(directory) owned by the foreign UID range, below a directory not owned by the user.</message> - <defaults> - <allow_any>auth_admin</allow_any> - <allow_inactive>auth_admin</allow_inactive> - <allow_active>auth_admin</allow_active> - </defaults> - - <annotate key="org.freedesktop.policykit.imply">io.systemd.mount-file-system.make-directory</annotate> - </action> </policyconfig> diff --git a/src/nsresourced/io.systemd.namespace-resource.policy b/src/nsresourced/io.systemd.namespace-resource.policy index b71efb9fc2..c109c2289f 100644 --- a/src/nsresourced/io.systemd.namespace-resource.policy +++ b/src/nsresourced/io.systemd.namespace-resource.policy @@ -12,67 +12,3 @@ the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. --> - -<policyconfig> - - <vendor>The systemd Project</vendor> - <vendor_url>https://systemd.io</vendor_url> - - <!-- Allow allocation of a user namespace with an automatically assigned UID range --> - <action id="io.systemd.namespace-resource.allocate-user-namespace"> - <description gettext-domain="systemd">Allow user namespace allocation</description> - <message gettext-domain="systemd">Authentication is required for an application to allocate a user namespace '$(name)' with an automatically assigned transient UID range.</message> - <defaults> - <allow_any>yes</allow_any> - <allow_inactive>yes</allow_inactive> - <allow_active>yes</allow_active> - </defaults> - <annotate key="org.freedesktop.policykit.imply">io.systemd.namespace-resource.register-user-namespace</annotate> - </action> - - <!-- Allow registration of a user namespace with a range allocated elsewhere --> - <action id="io.systemd.namespace-resource.register-user-namespace"> - <description gettext-domain="systemd">Allow user namespace registration</description> - <message gettext-domain="systemd">Authentication is required for an application to register a user namespace '$(name)'.</message> - <defaults> - <allow_any>yes</allow_any> - <allow_inactive>yes</allow_inactive> - <allow_active>yes</allow_active> - </defaults> - <annotate key="org.freedesktop.policykit.imply">io.systemd.namespace-resource.allocate-user-namespace</annotate> - </action> - - <!-- Allow adding a mount to a registered userns --> - <action id="io.systemd.namespace-resource.delegate-mount"> - <description gettext-domain="systemd">Allow adding a mount to a user namespace</description> - <message gettext-domain="systemd">Authentication is required for an application to add a mount to a user namespace.</message> - <defaults> - <allow_any>yes</allow_any> - <allow_inactive>yes</allow_inactive> - <allow_active>yes</allow_active> - </defaults> - </action> - - <!-- Allow adding a cgroup to a registered userns --> - <action id="io.systemd.namespace-resource.delegate-cgroup"> - <description gettext-domain="systemd">Allow adding a control group to a user namespace</description> - <message gettext-domain="systemd">Authentication is required for an application to add a control group to a user namespace.</message> - <defaults> - <allow_any>yes</allow_any> - <allow_inactive>yes</allow_inactive> - <allow_active>yes</allow_active> - </defaults> - </action> - - <!-- Allow adding a network interface to a registered userns --> - <action id="io.systemd.namespace-resource.delegate-network-interface"> - <description gettext-domain="systemd">Allow adding a network interface to a user namespace</description> - <message gettext-domain="systemd">Authentication is required for an application to add a network interface of type $(type) to a user namespace.</message> - <defaults> - <allow_any>yes</allow_any> - <allow_inactive>yes</allow_inactive> - <allow_active>yes</allow_active> - </defaults> - </action> - -</policyconfig> -- 2.51.0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
