Control: tag -1 d-i d-i ack needed for the udeb.
On Wed, Mar 04, 2026 at 12:33:05PM +0100, Bastian Germann wrote: > Control: tags -1 - moreinfo > > Please find the new debdiff attached. > diff -Nru xfsprogs-6.13.0/debian/changelog xfsprogs-6.13.0/debian/changelog > --- xfsprogs-6.13.0/debian/changelog 2025-02-23 15:32:04.000000000 +0100 > +++ xfsprogs-6.13.0/debian/changelog 2026-03-04 12:28:29.000000000 +0100 > @@ -1,3 +1,10 @@ > +xfsprogs (6.13.0-2+deb13u1) trixie; urgency=medium > + > + * xfs_scrub_fail: reduce security lockdowns to avoid postfix problems > + (Closes: #1116595) > + > + -- Bastian Germann <[email protected]> Wed, 04 Mar 2026 12:28:29 +0100 > + > xfsprogs (6.13.0-2) unstable; urgency=medium > > * Patch: mkfs: Correct filesize declaration > diff -Nru > xfsprogs-6.13.0/debian/patches/reduce-security-lockdowns-to-avoid-postfix-problems.patch > > xfsprogs-6.13.0/debian/patches/reduce-security-lockdowns-to-avoid-postfix-problems.patch > --- > xfsprogs-6.13.0/debian/patches/reduce-security-lockdowns-to-avoid-postfix-problems.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ > xfsprogs-6.13.0/debian/patches/reduce-security-lockdowns-to-avoid-postfix-problems.patch > 2026-03-01 17:22:10.000000000 +0100 > @@ -0,0 +1,133 @@ > +From: Bastian Germann <[email protected]> > +Date: Mar, 01 2026 16:19:13 +0100 > +Bug-Debian: https://bugs.debian.org/1116595 > +Subject: reduce security lockdowns to avoid postfix problems > + > +Apply upstream 50411335572120153cc84d54213cd5ca9dd11b14 to the other > +systemd services that people might have problems with. > +--- > +--- xfsprogs-6.18.0.orig/scrub/xfs_scrub_all.service.in > ++++ xfsprogs-6.18.0/scrub/xfs_scrub_all.service.in > +@@ -25,61 +25,3 @@ IOSchedulingClass=idle > + CPUSchedulingPolicy=idle > + CPUAccounting=true > + Nice=19 > +- > +-# No realtime scheduling > +-RestrictRealtime=true > +- > +-# No special privileges, but we still have to run as root so that we can > +-# contact the service manager to start the sub-units. > +-CapabilityBoundingSet= > +-NoNewPrivileges=true > +-RestrictSUIDSGID=true > +- > +-# Make the entire filesystem readonly except for the media scan stamp file > +-# directory. We don't want to hide anything because we need to find all > +-# mounted XFS filesystems in the host. > +-ProtectSystem=strict > +-ProtectHome=read-only > +-PrivateTmp=false > +-BindPaths=@pkg_state_dir@ > +- > +-# No network access except to the systemd control socket > +-PrivateNetwork=true > +-ProtectHostname=true > +-RestrictAddressFamilies=AF_UNIX > +-IPAddressDeny=any > +- > +-# Don't let the program mess with the kernel configuration at all > +-ProtectKernelLogs=true > +-ProtectKernelModules=true > +-ProtectKernelTunables=true > +-ProtectControlGroups=true > +-ProtectProc=invisible > +-RestrictNamespaces=true > +- > +-# Hide everything in /proc, even /proc/mounts > +-ProcSubset=pid > +- > +-# Only allow the default personality Linux > +-LockPersonality=true > +- > +-# No writable memory pages > +-MemoryDenyWriteExecute=true > +- > +-# Don't let our mounts leak out to the host > +-PrivateMounts=true > +- > +-# Restrict system calls to the native arch and only enough to get things > going > +-SystemCallArchitectures=native > +-SystemCallFilter=@system-service > +-SystemCallFilter=~@privileged > +-SystemCallFilter=~@resources > +-SystemCallFilter=~@mount > +- > +-# Media scan stamp file shouldn't be readable by regular users > +-UMask=0077 > +- > +-# lsblk ignores mountpoints if it can't find the device files, so we cannot > +-# hide them > +-#ProtectClock=true > +-#PrivateDevices=true > +--- xfsprogs-6.18.0.orig/scrub/xfs_scrub_all_fail.service.in > ++++ xfsprogs-6.18.0/scrub/xfs_scrub_all_fail.service.in > +@@ -14,58 +14,3 @@ ExecStart=@pkg_libexec_dir@/xfs_scrub_fa > + User=mail > + Group=mail > + SupplementaryGroups=systemd-journal > +- > +-# No realtime scheduling > +-RestrictRealtime=true > +- > +-# Make the entire filesystem readonly and /home inaccessible. > +-ProtectSystem=full > +-ProtectHome=yes > +-PrivateTmp=true > +-RestrictSUIDSGID=true > +- > +-# Emailing reports requires network access, but not the ability to change > the > +-# hostname. > +-ProtectHostname=true > +- > +-# Don't let the program mess with the kernel configuration at all > +-ProtectKernelLogs=true > +-ProtectKernelModules=true > +-ProtectKernelTunables=true > +-ProtectControlGroups=true > +-ProtectProc=invisible > +-RestrictNamespaces=true > +- > +-# Can't hide /proc because journalctl needs it to find various pieces of log > +-# information > +-#ProcSubset=pid > +- > +-# Only allow the default personality Linux > +-LockPersonality=true > +- > +-# No writable memory pages > +-MemoryDenyWriteExecute=true > +- > +-# Don't let our mounts leak out to the host > +-PrivateMounts=true > +- > +-# Restrict system calls to the native arch and only enough to get things > going > +-SystemCallArchitectures=native > +-SystemCallFilter=@system-service > +-SystemCallFilter=~@privileged > +-SystemCallFilter=~@resources > +-SystemCallFilter=~@mount > +- > +-# xfs_scrub needs these privileges to run, and no others > +-CapabilityBoundingSet= > +-NoNewPrivileges=true > +- > +-# Failure reporting shouldn't create world-readable files > +-UMask=0077 > +- > +-# Clean up any IPC objects when this unit stops > +-RemoveIPC=true > +- > +-# No access to hardware device files > +-PrivateDevices=true > +-ProtectClock=true > diff -Nru xfsprogs-6.13.0/debian/patches/series > xfsprogs-6.13.0/debian/patches/series > --- xfsprogs-6.13.0/debian/patches/series 2025-02-23 15:20:24.000000000 > +0100 > +++ xfsprogs-6.13.0/debian/patches/series 2026-03-04 12:27:53.000000000 > +0100 > @@ -1 +1,3 @@ > mkfs-Correct-filesize-declaration.patch > +xfs_scrub_fail-reduce-security-lockdowns.patch > +reduce-security-lockdowns-to-avoid-postfix-problems.patch > diff -Nru > xfsprogs-6.13.0/debian/patches/xfs_scrub_fail-reduce-security-lockdowns.patch > xfsprogs-6.13.0/debian/patches/xfs_scrub_fail-reduce-security-lockdowns.patch > --- > xfsprogs-6.13.0/debian/patches/xfs_scrub_fail-reduce-security-lockdowns.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ > xfsprogs-6.13.0/debian/patches/xfs_scrub_fail-reduce-security-lockdowns.patch > 2026-03-04 12:26:44.000000000 +0100 > @@ -0,0 +1,101 @@ > +From 15fd6fc686d5ce7640e46d44f6fa018413ce1b64 Mon Sep 17 00:00:00 2001 > +From: "Darrick J. Wong" <[email protected]> > +Date: Mon, 13 Oct 2025 16:34:24 -0700 > +Subject: [PATCH] xfs_scrub_fail: reduce security lockdowns to avoid postfix > + problems > + > +Iustin Pop reports that the xfs_scrub_fail service fails to email > +problem reports on Debian when postfix is installed. This is apparently > +due to several factors: > + > +1. postfix's sendmail wrapper calling postdrop directly, > +2. postdrop requiring the ability to write to the postdrop group, > +3. lockdown preventing the xfs_scrub_fail@ service to have postdrop in > + the supplemental group list or the ability to run setgid programs > + > +Item (3) could be solved by adding the whole service to the postdrop > +group via SupplementalGroups=, but that will fail if postfix is not > +installed and hence there is no postdrop group. > + > +It could also be solved by forcing msmtp to be installed, bind mounting > +msmtp into the service container, and injecting a config file that > +instructs msmtp to connect to port 25, but that in turn isn't compatible > +with systems not configured to allow an smtp server to listen on ::1. > + > +So we'll go with the less restrictive approach that e2scrub_fail@ does, > +which is to say that we just turn off all the sandboxing. :( :( > + > +Reported-by: [email protected] > +Cc: [email protected] # v6.10.0 > +Fixes: 9042fcc08eed6a ("xfs_scrub_fail: tighten up the security on the > background systemd service") > +Signed-off-by: Darrick J. Wong <[email protected]> > +Reviewed-by: Andrey Albershteyn <[email protected]> > +--- > + scrub/[email protected] | 57 ++------------------------------ > + 1 file changed, 3 insertions(+), 54 deletions(-) > + > +diff --git a/scrub/[email protected] > b/scrub/[email protected] > +index 16077888..1e205768 100644 > +--- a/scrub/[email protected] > ++++ b/scrub/[email protected] > +@@ -19,57 +19,6 @@ SupplementaryGroups=systemd-journal > + # can control resource usage. > + Slice=system-xfs_scrub.slice > + > +-# No realtime scheduling > +-RestrictRealtime=true > +- > +-# Make the entire filesystem readonly and /home inaccessible. > +-ProtectSystem=full > +-ProtectHome=yes > +-PrivateTmp=true > +-RestrictSUIDSGID=true > +- > +-# Emailing reports requires network access, but not the ability to change > the > +-# hostname. > +-ProtectHostname=true > +- > +-# Don't let the program mess with the kernel configuration at all > +-ProtectKernelLogs=true > +-ProtectKernelModules=true > +-ProtectKernelTunables=true > +-ProtectControlGroups=true > +-ProtectProc=invisible > +-RestrictNamespaces=true > +- > +-# Can't hide /proc because journalctl needs it to find various pieces of log > +-# information > +-#ProcSubset=pid > +- > +-# Only allow the default personality Linux > +-LockPersonality=true > +- > +-# No writable memory pages > +-MemoryDenyWriteExecute=true > +- > +-# Don't let our mounts leak out to the host > +-PrivateMounts=true > +- > +-# Restrict system calls to the native arch and only enough to get things > going > +-SystemCallArchitectures=native > +-SystemCallFilter=@system-service > +-SystemCallFilter=~@privileged > +-SystemCallFilter=~@resources > +-SystemCallFilter=~@mount > +- > +-# xfs_scrub needs these privileges to run, and no others > +-CapabilityBoundingSet= > +-NoNewPrivileges=true > +- > +-# Failure reporting shouldn't create world-readable files > +-UMask=0077 > +- > +-# Clean up any IPC objects when this unit stops > +-RemoveIPC=true > +- > +-# No access to hardware device files > +-PrivateDevices=true > +-ProtectClock=true > ++# No further restrictions because some installations may have MTAs such as > ++# postfix, which require the ability to run setgid programs and other > ++# foolishness. -- Jonathan Wiltshire [email protected] Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

