coredump: drop RestrictSUIDSGID= option (#38640)

systemd-coredump sandbox already has ProtectSystem=strict hence all non
API filesystems are made read-only, thus RestrictSUIDSGID= doesn't buy
us much.

On top of that systemd-coredump's EnterNamespace= feature requires
openat2() to work correctly and that is implicitly blocked by
RestrictSUIDSGID=.

Follow-up for 8f8148cb08bf9f2c0e1f7fe6a5e6eb383115957b

src/nspawn/nspawn.c

@@ -2566,7 +2566,7 @@ static int setup_hostname(void) {
         return 0;
 }
 
-static int setup_journal(const char *directory) {
+static int setup_journal(const char *directory, uid_t uid_shift, uid_t uid_range) {
         _cleanup_free_ char *d = NULL;
         sd_id128_t this_id;
         bool try;
@@ -2693,11 +2693,20 @@ static int setup_journal(const char *directory) {
         if (r < 0)
                 return log_error_errno(r, "Failed to create %s: %m", q);
 
-        r = mount_nofollow_verbose(LOG_DEBUG, p, q, NULL, MS_BIND, NULL);
+        return mount_custom(
-        if (r < 0)
+                        directory,
-                return log_error_errno(r, "Failed to bind mount journal from host into guest: %m");
+                        &(CustomMount) {
-
+                                .type = CUSTOM_MOUNT_BIND,
-        return 0;
+                                .options = (char*) (uid_is_valid(uid_shift) ? "rootidmap" : NULL),
+                                .source = p,
+                                .destination = p,
+                                .destination_uid = UID_INVALID,
+                        },
+                        /* n = */ 1,
+                        uid_shift,
+                        uid_range,
+                        arg_selinux_apifs_context,
+                        MOUNT_NON_ROOT_ONLY);
 }
 
 static int drop_capabilities(uid_t uid) {
@@ -4270,7 +4279,7 @@ static int outer_child(
         if (r < 0)
                 return r;
 
-        r = setup_journal(directory);
+        r = setup_journal(directory, chown_uid, chown_range);
         if (r < 0)
                 return r;
 

src/test/test-install-root.c

@@ -1203,7 +1203,7 @@ TEST(verify_alias) {
         verify_one(&bare_template, "foo.target.wants/plain.socket", -EXDEV, NULL);
         verify_one(&bare_template, "foo.target.wants/plain@.service", -EXDEV, NULL);
          /* Name mismatch: we cannot allow this, because plain@foo.service would be pulled in by foo.target,
-          * but would not be resolveable on its own, since systemd doesn't know how to load the fragment. */
+          * but would not be resolvable on its own, since systemd doesn't know how to load the fragment. */
         verify_one(&bare_template, "foo.target.wants/plain@foo.service", -EXDEV, NULL);
         verify_one(&bare_template, "foo.target.wants/template1@foo.service", 0, NULL);
         verify_one(&bare_template, "foo.target.wants/service", -EXDEV, NULL);

test/integration-tests/TEST-16-EXTEND-TIMEOUT/TEST-16-EXTEND-TIMEOUT.units/fail-stop.service

@@ -12,5 +12,5 @@ RuntimeMaxSec=4
 Environment=SERVICE=fail_stop extend_timeout_interval=5 sleep_interval=7 start_intervals=0 run_intervals=0 stop_intervals=2
 ExecStart=/usr/lib/systemd/tests/testdata/TEST-16-EXTEND-TIMEOUT.units/extend-timeout.sh
 # Due to 6041a7ee2c1bbff6301082f192fc1b0882400d42 SIGTERM isn't sent as the service shuts down with STOPPING=1
-# This file makes the test assess.sh quicker by notifing it that this test has finished.
+# This file makes the test assess.sh quicker by notifying it that this test has finished.
 ExecStopPost=/bin/bash -c '[[ $SERVICE_RESULT == timeout && $EXIT_CODE == killed ]] && touch /fail_runtime.terminated'

test/knot-data/zones/test.zone

@@ -23,4 +23,4 @@ unsigned              NS   ns1.unsigned
 svcb                  SVCB  1   .   alpn=dot ipv4hint=10.0.0.1 ipv6hint=fd00:dead:beef:cafe::1
 https                 HTTPS 1   .   alpn="h2,h3"
 
-delegation.excercise A 1.2.3.4
+delegation.exercise   A 1.2.3.4

test/units/TEST-10-MOUNT.sh

@@ -88,7 +88,7 @@ check_dependencies() {
     # event source will be retriggered when /run/mount/utab is updated, and the mount unit will be updated
     # again with the userspace options. Typically, the window between the two calls is very short, but when
     # the mount event source is ratelimited after the first event, processing the second event may be delayed
-    # about 1 secound. Hence, here we need to wait for a while.
+    # about 1 second. Hence, here we need to wait for a while.
     timeout 10 bash -c 'until systemctl show --property=After --value tmp-deptest.mount | grep -q -F remote-fs-pre.target; do sleep .1; done'
     after=$(systemctl show --property=After --value tmp-deptest.mount)
     assert_not_in "local-fs-pre.target" "$after"

test/units/TEST-13-NSPAWN.nspawn.sh

@@ -1446,4 +1446,28 @@ testcase_unpriv_dir() {
     rm -rf "$root"
 }
 
+testcase_link_journa_hostl() {
+    local root hoge i
+
+    root="$(mktemp -d /var/lib/machines/TEST-13-NSPAWN.link-journal.XXX)"
+    create_dummy_container "$root"
+
+    systemd-id128 new > "$root"/etc/machine-id
+
+    mkdir -p /var/log/journal
+
+    hoge="/var/log/journal/$(cat "$root"/etc/machine-id)/hoge"
+
+    for i in no yes pick; do
+        systemd-nspawn \
+            --directory="$root" --private-users="$i" --link-journal=host \
+            bash -xec 'p="/var/log/journal/$(cat /etc/machine-id)"; mountpoint "$p"; [[ "$(stat "$p" --format=%u)" == 0 ]]; touch "$p/hoge"'
+
+        [[ "$(stat "$hoge" --format=%u)" == 0 ]]
+        rm "$hoge"
+    done
+
+    rm -fr "$root"
+}
+
 run_testcases

test/units/TEST-15-DROPIN.sh

@@ -335,7 +335,7 @@ testcase_transient_slice_dropins() {
     # FIXME: implement reloading of individual units.
     #
     # The settings here are loaded twice. For most settings it doesn't matter,
-    # but Documentation is not deduplicated, so we current get repeated entried
+    # but Documentation is not deduplicated, so we currently get repeated entries
     # which is a bug.
 
     mkdir -p /etc/systemd/system/slice.d

test/units/TEST-65-ANALYZE.sh

@@ -982,13 +982,13 @@ systemd-analyze security --threshold=90 --offline=true \
                            --security-policy=/tmp/testfile.json \
                            --root=/tmp/img/ testfile.service
 
-# The strict profile adds a lot of sanboxing options
+# The strict profile adds a lot of sandboxing options
 systemd-analyze security --threshold=25 --offline=true \
                            --security-policy=/tmp/testfile.json \
                            --profile=strict \
                            --root=/tmp/img/ testfile.service
 
-# The trusted profile doesn't add any sanboxing options
+# The trusted profile doesn't add any sandboxing options
 (! systemd-analyze security --threshold=25 --offline=true \
                            --security-policy=/tmp/testfile.json \
                            --profile=/usr/lib/systemd/portable/profile/trusted/service.conf \

test/units/TEST-75-RESOLVED.sh

@@ -1346,28 +1346,28 @@ testcase_15_wait_online_dns() {
 }
 
 testcase_delegate() {
-    # Before we install the delegation file the DNS name should be directly resolveable via our DNS server
+    # Before we install the delegation file the DNS name should be directly resolvable via our DNS server
-    run resolvectl query delegation.excercise.test
+    run resolvectl query delegation.exercise.test
     grep -qF "1.2.3.4" "$RUN_OUT"
 
     mkdir -p /run/systemd/dns-delegate.d/
     cat >/run/systemd/dns-delegate.d/testcase.dns-delegate <<EOF
 [Delegate]
 DNS=192.168.77.78
-Domains=excercise.test
+Domains=exercise.test
 EOF
     systemctl reload systemd-resolved
     resolvectl status
 
     # Now that we installed the delegation the resolution should fail, because nothing is listening on that IP address
-    (! resolvectl query delegation.excercise.test)
+    (! resolvectl query delegation.exercise.test)
 
     # Now make that IP address connectible
     ip link add delegate0 type dummy
     ip addr add 192.168.77.78 dev delegate0
 
     # This should work now
-    run resolvectl query delegation.excercise.test
+    run resolvectl query delegation.exercise.test
     grep -qF "1.2.3.4" "$RUN_OUT"
 
     ip link del delegate0
@@ -1376,13 +1376,13 @@ EOF
     systemctl restart systemd-resolved
 
     # Should no longer work
-    (! resolvectl query delegation.excercise.test)
+    (! resolvectl query delegation.exercise.test)
 
     rm /run/systemd/dns-delegate.d/testcase.dns-delegate
     systemctl reload systemd-resolved
 
     # Should work again without delegation in the mix
-    run resolvectl query delegation.excercise.test
+    run resolvectl query delegation.exercise.test
     grep -qF "1.2.3.4" "$RUN_OUT"
 }
 

units/systemd-coredump@.service.in

@@ -36,7 +36,6 @@ ProtectKernelLogs=yes
 ProtectSystem=strict
 RestrictAddressFamilies=AF_UNIX
 RestrictRealtime=yes
-RestrictSUIDSGID=yes
 RuntimeMaxSec=5min
 StateDirectory=systemd/coredump
 SystemCallArchitectures=native