File util-linux-uuidd-check-lock-state.patch of Package python-libmount.32955

Applicable subset of the original commit: Issue warning if the lock
state file is not usable.

Service file is not hardened, so ReadWritePaths does not need to be
specified.

From f27876f9c1056bf41fd940d5c4990b4277e0024f Mon Sep 17 00:00:00 2001
From: Karel Zak <kzak@redhat.com>
Date: Mon, 24 Jan 2022 14:08:08 +0100
Subject: [PATCH] uuidd: fix open/lock state issue

* warn on open/lock state issue
* remove ProtectSystem=strict from systemd service setting, because it
  makes clock state file read-only

  openat(AT_FDCWD, "/var/lib/libuuid/clock.txt",
     O_RDWR|O_CREAT|O_CLOEXEC, 0660) = -1 EROFS (Read-only file system)

Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=2040366
Signed-off-by: Karel Zak <kzak@redhat.com>
---
 misc-utils/uuidd.c          | 9 ++++++---
 misc-utils/uuidd.service.in | 1 -
 2 files changed, 6 insertions(+), 4 deletions(-)

From 417982d0236a12756923d88e627f5e4facf8951c Mon Sep 17 00:00:00 2001
From: Stanislav Brabec <sbrabec@suse.cz>
Date: Tue, 25 Jan 2022 11:50:21 +0100
Subject: [PATCH] uuidd: Whitelist libuuid clock file

Return back ProtectSystem to strict, and enable access to
/var/lib/libuuid only.

Note: As LIBUUID_CLOCK_FILE does not use @localstatedir@, we use
/var here as well.

Signed-off-by: Ali Abdallah <ali.abdallah@suse.com>
Signed-off-by: Stanislav Brabec <sbrabec@suse.cz>
Signed-off-by: Karel Zak <kzak@redhat.com>
---
 misc-utils/uuidd.service.in | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/misc-utils/uuidd.c b/misc-utils/uuidd.c
index f8b595ea7..dfcd1487b 100644
--- a/misc-utils/uuidd.c
+++ b/misc-utils/uuidd.c
@@ -494,7 +494,8 @@ static void server_loop(const char *socket_path, const char *pidfile_path,
 			break;
 		case UUIDD_OP_TIME_UUID:
 			num = 1;
-			__uuid_generate_time(uu, &num);
+			if (__uuid_generate_time(uu, &num) < 0 && !uuidd_cxt->quiet)
+				warnx(_("failed to open/lock clock counter"));
 			if (uuidd_cxt->debug) {
 				uuid_unparse(uu, str);
 				fprintf(stderr, _("Generated time UUID: %s\n"), str);
@@ -504,7 +505,8 @@ static void server_loop(const char *socket_path, const char *pidfile_path,
 			break;
 		case UUIDD_OP_RANDOM_UUID:
 			num = 1;
-			__uuid_generate_random(uu, &num);
+			if (__uuid_generate_time(uu, &num) < 0 && !uuidd_cxt->quiet)
+				warnx(_("failed to open/lock clock counter"));
 			if (uuidd_cxt->debug) {
 				uuid_unparse(uu, str);
 				fprintf(stderr, _("Generated random UUID: %s\n"), str);
@@ -513,7 +515,8 @@ static void server_loop(const char *socket_path, const char *pidfile_path,
 			reply_len = sizeof(uu);
 			break;
 		case UUIDD_OP_BULK_TIME_UUID:
-			__uuid_generate_time(uu, &num);
+			if (__uuid_generate_time(uu, &num) < 0 && !uuidd_cxt->quiet)
+				warnx(_("failed to open/lock clock counter"));
 			if (uuidd_cxt->debug) {
 				uuid_unparse(uu, str);
 				fprintf(stderr, P_("Generated time UUID %s "
Not applicable:
#diff --git a/misc-utils/uuidd.service.in b/misc-utils/uuidd.service.in
#index b4c9c4635..e64ca59b5 100644
#--- a/misc-utils/uuidd.service.in
#+++ b/misc-utils/uuidd.service.in
#@@ -18,6 +18,7 @@ ProtectKernelModules=yes
# ProtectControlGroups=yes
# RestrictAddressFamilies=AF_UNIX
# MemoryDenyWriteExecute=yes
#+ReadWritePaths=/var/lib/libuuid/
# SystemCallFilter=@default @file-system @basic-io @system-service @signal @io-event @network-io
# 
# [Install]
-- 
2.35.1