diff -Nru systemd-239/debian/changelog systemd-239/debian/changelog --- systemd-239/debian/changelog 2019-03-07 14:54:25.000000000 +0000 +++ systemd-239/debian/changelog 2019-04-03 10:52:48.000000000 +0000 @@ -1,17 +1,18 @@ -systemd (239-7ubuntu10.11) cosmic-security; urgency=medium +systemd (239-7ubuntu10.12) cosmic-security; urgency=medium - * SECURITY UPDATE: PAM misconfiguration leads to incorrect Policykit - authorization - - debian/extra/pam-configs/systemd: Enable pam_systemd.so for - non-interactive sessions - - CVE-2019-9619 * SECURITY UDPATE: Unsafe environment usage in pam_systemd.so leads to incorrect Policykit authorization - debian/patches/CVE-2019-3842.patch: Use secure_getenv() rather than getenv() in pam_systemd.c - CVE-2019-3842 - -- Chris Coulson Thu, 07 Mar 2019 14:54:25 +0000 + -- Chris Coulson Wed, 03 Apr 2019 11:52:48 +0100 + +systemd (239-7ubuntu10.11) cosmic; urgency=medium + + * virt: detect WSL environment as a container (LP: #1816753) + + -- Balint Reczey Mon, 25 Mar 2019 11:30:22 +0100 systemd (239-7ubuntu10.10) cosmic; urgency=medium diff -Nru systemd-239/debian/extra/pam-configs/systemd systemd-239/debian/extra/pam-configs/systemd --- systemd-239/debian/extra/pam-configs/systemd 2019-03-07 14:54:21.000000000 +0000 +++ systemd-239/debian/extra/pam-configs/systemd 2019-04-03 10:52:48.000000000 +0000 @@ -1,6 +1,7 @@ Name: Register user sessions in the systemd control group hierarchy Default: yes Priority: 0 +Session-Interactive-Only: yes Session-Type: Additional Session: optional pam_systemd.so diff -Nru systemd-239/debian/patches/series systemd-239/debian/patches/series --- systemd-239/debian/patches/series 2019-03-07 14:54:25.000000000 +0000 +++ systemd-239/debian/patches/series 2019-04-03 10:52:48.000000000 +0000 @@ -103,4 +103,5 @@ sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch journal-do-not-remove-multiple-spaces-after-identifi.patch stop-mount-error-propagation.patch +virt-detect-WSL-environment-as-a-container-id-wsl.patch CVE-2019-3842.patch diff -Nru systemd-239/debian/patches/virt-detect-WSL-environment-as-a-container-id-wsl.patch systemd-239/debian/patches/virt-detect-WSL-environment-as-a-container-id-wsl.patch --- systemd-239/debian/patches/virt-detect-WSL-environment-as-a-container-id-wsl.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/virt-detect-WSL-environment-as-a-container-id-wsl.patch 2019-03-25 10:30:22.000000000 +0000 @@ -0,0 +1,116 @@ +From: Balint Reczey +Date: Wed, 6 Mar 2019 18:46:04 +0100 +Subject: virt: detect WSL environment as a container (id: wsl) + +--- + man/systemd-detect-virt.xml | 13 ++++++++++++- + man/systemd.unit.xml | 3 ++- + src/basic/virt.c | 12 ++++++++++++ + src/basic/virt.h | 1 + + 4 files changed, 27 insertions(+), 2 deletions(-) + +diff --git a/man/systemd-detect-virt.xml b/man/systemd-detect-virt.xml +index c4763fd..9e37fd1 100644 +--- a/man/systemd-detect-virt.xml ++++ b/man/systemd-detect-virt.xml +@@ -126,7 +126,7 @@ + + + +- Container ++ Container + openvz + OpenVZ/Virtuozzo + +@@ -155,6 +155,11 @@ + rkt + rkt app container runtime + ++ ++ ++ wsl ++ Windows Subsystem for Linux ++ + + + +@@ -164,6 +169,12 @@ + machine and container virtualization are used in + conjunction, only the latter will be identified (unless + is passed). ++ Windows Subsystem for Linux is not a Linux container, ++ but an environment for running Linux userspace applications on ++ top of the Windows kernel using a Linux-compatible interface. ++ WSL is categorized as a container for practical purposes. ++ Multiple WSL environments share the same kernel and services ++ should generally behave like when being run in a container. + + + +diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml +index 7605c43..6c2ee31 100644 +--- a/man/systemd.unit.xml ++++ b/man/systemd.unit.xml +@@ -1066,7 +1066,8 @@ + lxc-libvirt, + systemd-nspawn, + docker, +- rkt to test ++ rkt, ++ wsl to test + against a specific implementation, or + private-users to check whether we are running in a user namespace. See + systemd-detect-virt1 +diff --git a/src/basic/virt.c b/src/basic/virt.c +index d347732..235e9f7 100644 +--- a/src/basic/virt.c ++++ b/src/basic/virt.c +@@ -419,10 +419,12 @@ int detect_container(void) { + { "systemd-nspawn", VIRTUALIZATION_SYSTEMD_NSPAWN }, + { "docker", VIRTUALIZATION_DOCKER }, + { "rkt", VIRTUALIZATION_RKT }, ++ { "wsl", VIRTUALIZATION_WSL }, + }; + + static thread_local int cached_found = _VIRTUALIZATION_INVALID; + _cleanup_free_ char *m = NULL; ++ _cleanup_free_ char *o = NULL; + const char *e = NULL; + unsigned j; + int r; +@@ -437,6 +439,15 @@ int detect_container(void) { + goto finish; + } + ++ /* "Official" way of detecting WSL https://github.com/Microsoft/WSL/issues/423#issuecomment-221627364 */ ++ r = read_one_line_file("/proc/sys/kernel/osrelease", &o); ++ if (r >= 0) { ++ if (strstr(o, "Microsoft") || strstr(o, "WSL")) { ++ r = VIRTUALIZATION_WSL; ++ goto finish; ++ } ++ } ++ + if (getpid_cached() == 1) { + /* If we are PID 1 we can just check our own environment variable, and that's authoritative. */ + +@@ -619,6 +630,7 @@ static const char *const virtualization_table[_VIRTUALIZATION_MAX] = { + [VIRTUALIZATION_OPENVZ] = "openvz", + [VIRTUALIZATION_DOCKER] = "docker", + [VIRTUALIZATION_RKT] = "rkt", ++ [VIRTUALIZATION_WSL] = "wsl", + [VIRTUALIZATION_CONTAINER_OTHER] = "container-other", + }; + +diff --git a/src/basic/virt.h b/src/basic/virt.h +index c4cf4bf..a603fd4 100644 +--- a/src/basic/virt.h ++++ b/src/basic/virt.h +@@ -31,6 +31,7 @@ enum { + VIRTUALIZATION_OPENVZ, + VIRTUALIZATION_DOCKER, + VIRTUALIZATION_RKT, ++ VIRTUALIZATION_WSL, + VIRTUALIZATION_CONTAINER_OTHER, + VIRTUALIZATION_CONTAINER_LAST = VIRTUALIZATION_CONTAINER_OTHER, +