File 1001-Temporarily-remove-mountfsd-nsresourced-new-Polkit-a.patch of Package systemd
From dbe4e86dd799f94f54fc32b222e4c93aed76c5a2 Mon Sep 17 00:00:00 2001
From: Franck Bui <fbui@suse.com>
Date: Mon, 20 Oct 2025 12:32:40 +0200
Subject: [PATCH 1/1] Temporarily remove mountfsd/nsresourced new Polkit
actions introduced by v258
They must be validated by the security team, see bsc#1250898 and bsc#1250902.
---
.../io.systemd.mount-file-system.policy | 72 -------------------
.../io.systemd.namespace-resource.policy | 64 -----------------
2 files changed, 136 deletions(-)
diff --git a/src/mountfsd/io.systemd.mount-file-system.policy b/src/mountfsd/io.systemd.mount-file-system.policy
index 6100f7158f..6a151eb437 100644
--- a/src/mountfsd/io.systemd.mount-file-system.policy
+++ b/src/mountfsd/io.systemd.mount-file-system.policy
@@ -67,76 +67,4 @@
<annotate key="org.freedesktop.policykit.imply">io.systemd.mount-file-system.mount-image-privately</annotate>
</action>
-
- <!-- Allow mounting directories into the host user namespace -->
- <action id="io.systemd.mount-file-system.mount-directory">
- <!-- If the directory is owned by the user (or by the foreign UID range, with a parent
- directory owned by the user), make little restrictions -->
- <description gettext-domain="systemd">Allow mounting of directory</description>
- <message gettext-domain="systemd">Authentication is required for an application to mount directory $(directory).</message>
- <defaults>
- <allow_any>auth_admin_keep</allow_any>
- <allow_inactive>auth_admin_keep</allow_inactive>
- <allow_active>yes</allow_active>
- </defaults>
- </action>
-
- <action id="io.systemd.mount-file-system.mount-untrusted-directory">
- <!-- If the directory is owned by an other user, require authentication -->
- <description gettext-domain="systemd">Allow mounting of untrusted directory</description>
- <message gettext-domain="systemd">Authentication is required for an application to mount directory $(directory) which is not owned by the user.</message>
- <defaults>
- <allow_any>auth_admin</allow_any>
- <allow_inactive>auth_admin</allow_inactive>
- <allow_active>auth_admin</allow_active>
- </defaults>
-
- <annotate key="org.freedesktop.policykit.imply">io.systemd.mount-file-system.mount-directory</annotate>
- </action>
-
- <!-- Allow mounting directories into a private user namespace -->
- <action id="io.systemd.mount-file-system.mount-directory-privately">
- <description gettext-domain="systemd">Allow private mounting of directory</description>
- <message gettext-domain="systemd">Authentication is required for an application to privately mount directory $(directory).</message>
- <defaults>
- <allow_any>yes</allow_any>
- <allow_inactive>yes</allow_inactive>
- <allow_active>yes</allow_active>
- </defaults>
- </action>
-
- <action id="io.systemd.mount-file-system.mount-untrusted-directory-privately">
- <description gettext-domain="systemd">Allow private mounting of untrusted directory</description>
- <message gettext-domain="systemd">Authentication is required for an application to privately mount directory $(directory) which is not owned by the user.</message>
- <defaults>
- <allow_any>auth_admin</allow_any>
- <allow_inactive>auth_admin</allow_inactive>
- <allow_active>auth_admin</allow_active>
- </defaults>
-
- <annotate key="org.freedesktop.policykit.imply">io.systemd.mount-file-system.mount-directory-privately</annotate>
- </action>
-
- <!-- Allow making foreign UID range owned directories -->
- <action id="io.systemd.mount-file-system.make-directory">
- <description gettext-domain="systemd">Allow creating directory owned by the foreign UID range</description>
- <message gettext-domain="systemd">Authentication is required for an application to create $(directory) owned by the foreign UID range.</message>
- <defaults>
- <allow_any>yes</allow_any>
- <allow_inactive>yes</allow_inactive>
- <allow_active>yes</allow_active>
- </defaults>
- </action>
-
- <action id="io.systemd.mount-file-system.make-directory-untrusted">
- <description gettext-domain="systemd">Allow creating directory owned by the foreign UID range below directory not owned by the user</description>
- <message gettext-domain="systemd">Authentication is required for an application to create $(directory) owned by the foreign UID range, below a directory not owned by the user.</message>
- <defaults>
- <allow_any>auth_admin</allow_any>
- <allow_inactive>auth_admin</allow_inactive>
- <allow_active>auth_admin</allow_active>
- </defaults>
-
- <annotate key="org.freedesktop.policykit.imply">io.systemd.mount-file-system.make-directory</annotate>
- </action>
</policyconfig>
diff --git a/src/nsresourced/io.systemd.namespace-resource.policy b/src/nsresourced/io.systemd.namespace-resource.policy
index b71efb9fc2..c109c2289f 100644
--- a/src/nsresourced/io.systemd.namespace-resource.policy
+++ b/src/nsresourced/io.systemd.namespace-resource.policy
@@ -12,67 +12,3 @@
the Free Software Foundation; either version 2.1 of the License, or
(at your option) any later version.
-->
-
-<policyconfig>
-
- <vendor>The systemd Project</vendor>
- <vendor_url>https://systemd.io</vendor_url>
-
- <!-- Allow allocation of a user namespace with an automatically assigned UID range -->
- <action id="io.systemd.namespace-resource.allocate-user-namespace">
- <description gettext-domain="systemd">Allow user namespace allocation</description>
- <message gettext-domain="systemd">Authentication is required for an application to allocate a user namespace '$(name)' with an automatically assigned transient UID range.</message>
- <defaults>
- <allow_any>yes</allow_any>
- <allow_inactive>yes</allow_inactive>
- <allow_active>yes</allow_active>
- </defaults>
- <annotate key="org.freedesktop.policykit.imply">io.systemd.namespace-resource.register-user-namespace</annotate>
- </action>
-
- <!-- Allow registration of a user namespace with a range allocated elsewhere -->
- <action id="io.systemd.namespace-resource.register-user-namespace">
- <description gettext-domain="systemd">Allow user namespace registration</description>
- <message gettext-domain="systemd">Authentication is required for an application to register a user namespace '$(name)'.</message>
- <defaults>
- <allow_any>yes</allow_any>
- <allow_inactive>yes</allow_inactive>
- <allow_active>yes</allow_active>
- </defaults>
- <annotate key="org.freedesktop.policykit.imply">io.systemd.namespace-resource.allocate-user-namespace</annotate>
- </action>
-
- <!-- Allow adding a mount to a registered userns -->
- <action id="io.systemd.namespace-resource.delegate-mount">
- <description gettext-domain="systemd">Allow adding a mount to a user namespace</description>
- <message gettext-domain="systemd">Authentication is required for an application to add a mount to a user namespace.</message>
- <defaults>
- <allow_any>yes</allow_any>
- <allow_inactive>yes</allow_inactive>
- <allow_active>yes</allow_active>
- </defaults>
- </action>
-
- <!-- Allow adding a cgroup to a registered userns -->
- <action id="io.systemd.namespace-resource.delegate-cgroup">
- <description gettext-domain="systemd">Allow adding a control group to a user namespace</description>
- <message gettext-domain="systemd">Authentication is required for an application to add a control group to a user namespace.</message>
- <defaults>
- <allow_any>yes</allow_any>
- <allow_inactive>yes</allow_inactive>
- <allow_active>yes</allow_active>
- </defaults>
- </action>
-
- <!-- Allow adding a network interface to a registered userns -->
- <action id="io.systemd.namespace-resource.delegate-network-interface">
- <description gettext-domain="systemd">Allow adding a network interface to a user namespace</description>
- <message gettext-domain="systemd">Authentication is required for an application to add a network interface of type $(type) to a user namespace.</message>
- <defaults>
- <allow_any>yes</allow_any>
- <allow_inactive>yes</allow_inactive>
- <allow_active>yes</allow_active>
- </defaults>
- </action>
-
-</policyconfig>
--
2.51.0
