|
 |
e641e6 |
From dd05ea86a4701a33cc4d271edf0a36b5c972e2e1 Mon Sep 17 00:00:00 2001
|
|
|
e641e6 |
From: Simon McVittie <smcv@collabora.com>
|
|
|
e641e6 |
Date: Mon, 17 Jan 2022 21:59:02 +0000
|
|
|
e641e6 |
Subject: [PATCH 1/2] Disable filesystem access with --nofilesystem=host:reset
|
|
|
e641e6 |
|
|
|
e641e6 |
This requires <https://github.com/flatpak/flatpak/pull/4678>.
|
|
|
e641e6 |
|
|
|
e641e6 |
In addition to counteracting an earlier --filesystem=host, in Flatpak
|
|
|
e641e6 |
versions that support it, the new --nofilesystem=host:reset removes all
|
|
|
e641e6 |
filesystem access that might have been inherited from the app manifest
|
|
|
e641e6 |
or overrides. This prevents CVE-2022-21682, while avoiding behaviour
|
|
|
e641e6 |
changes in Flatpak for non-builder use cases.
|
|
|
e641e6 |
|
|
|
e641e6 |
In older Flatpak versions, this option acts as --filesystem=host with an
|
|
|
e641e6 |
unknown mode suffix, which is ignored (with a warning, which is harmless
|
|
|
e641e6 |
but will hopefully nudge people towards upgrading Flatpak to a version
|
|
|
e641e6 |
that enables CVE-2022-21682 to be avoided). flatpak-builder will still
|
|
|
e641e6 |
be vulnerable to CVE-2022-21682 in this case.
|
|
|
e641e6 |
|
|
|
e641e6 |
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
e641e6 |
(cherry picked from commit 2d1b6799e782d5e5577072aa7bbfed00ddf0b087)
|
|
|
e641e6 |
---
|
|
|
e641e6 |
src/builder-main.c | 2 +-
|
|
|
e641e6 |
src/builder-manifest.c | 4 ++--
|
|
|
e641e6 |
src/builder-module.c | 2 +-
|
|
|
e641e6 |
src/builder-source-shell.c | 2 +-
|
|
|
e641e6 |
4 files changed, 5 insertions(+), 5 deletions(-)
|
|
|
e641e6 |
|
|
|
e641e6 |
diff --git a/src/builder-main.c b/src/builder-main.c
|
|
|
e641e6 |
index a177f4b0c8b6..dc6f3e97603a 100644
|
|
|
e641e6 |
--- a/src/builder-main.c
|
|
|
e641e6 |
+++ b/src/builder-main.c
|
|
|
e641e6 |
@@ -942,7 +942,7 @@ main (int argc,
|
|
|
e641e6 |
"flatpak",
|
|
|
e641e6 |
"build",
|
|
|
e641e6 |
"--die-with-parent",
|
|
|
e641e6 |
- "--nofilesystem=host",
|
|
|
e641e6 |
+ "--nofilesystem=host:reset",
|
|
|
e641e6 |
fs_app_dir,
|
|
|
e641e6 |
fs_cache,
|
|
|
e641e6 |
"--share=network",
|
|
|
e641e6 |
diff --git a/src/builder-manifest.c b/src/builder-manifest.c
|
|
|
e641e6 |
index 62e7096674fa..ae83e493db52 100644
|
|
|
e641e6 |
--- a/src/builder-manifest.c
|
|
|
e641e6 |
+++ b/src/builder-manifest.c
|
|
|
e641e6 |
@@ -2124,7 +2124,7 @@ command (GFile *app_dir,
|
|
|
e641e6 |
g_ptr_array_add (args, g_strdup ("build"));
|
|
|
e641e6 |
|
|
|
e641e6 |
g_ptr_array_add (args, g_strdup ("--die-with-parent"));
|
|
|
e641e6 |
- g_ptr_array_add (args, g_strdup ("--nofilesystem=host"));
|
|
|
e641e6 |
+ g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset"));
|
|
|
e641e6 |
if (extra_args)
|
|
|
e641e6 |
{
|
|
|
e641e6 |
for (i = 0; extra_args[i] != NULL; i++)
|
|
|
e641e6 |
@@ -2304,7 +2304,7 @@ appstream_compose (GFile *app_dir,
|
|
|
e641e6 |
g_ptr_array_add (args, g_strdup ("flatpak"));
|
|
|
e641e6 |
g_ptr_array_add (args, g_strdup ("build"));
|
|
|
e641e6 |
g_ptr_array_add (args, g_strdup ("--die-with-parent"));
|
|
|
e641e6 |
- g_ptr_array_add (args, g_strdup ("--nofilesystem=host"));
|
|
|
e641e6 |
+ g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset"));
|
|
|
e641e6 |
g_ptr_array_add (args, g_file_get_path (app_dir));
|
|
|
e641e6 |
g_ptr_array_add (args, g_strdup ("appstream-compose"));
|
|
|
e641e6 |
|
|
|
e641e6 |
diff --git a/src/builder-module.c b/src/builder-module.c
|
|
|
e641e6 |
index 8d1819a3e530..862c247e2fb2 100644
|
|
|
e641e6 |
--- a/src/builder-module.c
|
|
|
e641e6 |
+++ b/src/builder-module.c
|
|
|
e641e6 |
@@ -1177,7 +1177,7 @@ setup_build_args (GFile *app_dir,
|
|
|
e641e6 |
builddir = "/run/build/";
|
|
|
e641e6 |
|
|
|
e641e6 |
g_ptr_array_add (args, g_strdup_printf ("--env=FLATPAK_BUILDER_BUILDDIR=%s%s", builddir, module_name));
|
|
|
e641e6 |
- g_ptr_array_add (args, g_strdup ("--nofilesystem=host"));
|
|
|
e641e6 |
+ g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset"));
|
|
|
e641e6 |
|
|
|
e641e6 |
/* We mount the canonical location, because bind-mounts of symlinks don't really work */
|
|
|
e641e6 |
g_ptr_array_add (args, g_strdup_printf ("--filesystem=%s", source_dir_path_canonical));
|
|
|
e641e6 |
diff --git a/src/builder-source-shell.c b/src/builder-source-shell.c
|
|
|
e641e6 |
index 152257b12476..8132a5c49d8a 100644
|
|
|
e641e6 |
--- a/src/builder-source-shell.c
|
|
|
e641e6 |
+++ b/src/builder-source-shell.c
|
|
|
e641e6 |
@@ -136,7 +136,7 @@ run_script (BuilderContext *context,
|
|
|
e641e6 |
|
|
|
e641e6 |
source_dir_path_canonical = realpath (source_dir_path, NULL);
|
|
|
e641e6 |
|
|
|
e641e6 |
- g_ptr_array_add (args, g_strdup ("--nofilesystem=host"));
|
|
|
e641e6 |
+ g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset"));
|
|
|
e641e6 |
g_ptr_array_add (args, g_strdup_printf ("--filesystem=%s", source_dir_path_canonical));
|
|
|
e641e6 |
|
|
|
e641e6 |
if (env)
|
|
|
e641e6 |
--
|
|
|
e641e6 |
2.35.1
|
|
|
e641e6 |
|
|
|
e641e6 |
|
|
|
e641e6 |
From 26cab8d7aae2146fa95cf5ad28e286f8034d97dc Mon Sep 17 00:00:00 2001
|
|
|
e641e6 |
From: Alexander Larsson <alexl@redhat.com>
|
|
|
e641e6 |
Date: Tue, 18 Jan 2022 09:58:29 +0100
|
|
|
e641e6 |
Subject: [PATCH 2/2] Allow --nofilesystem=host:reset in flatpak-builder --run
|
|
|
e641e6 |
|
|
|
e641e6 |
This adds support for the new host:reset mode. We don't verify
|
|
|
e641e6 |
that the argument is used as carefully as flatpak does, but any
|
|
|
e641e6 |
issue will be reported later when passed to flatpak.
|
|
|
e641e6 |
|
|
|
e641e6 |
Co-authored-by: Simon McVittie <smcv@collabora.com>
|
|
|
e641e6 |
(cherry picked from commit 27aa2f5e4508d03178bf905ee7099d6d69a79aa4)
|
|
|
e641e6 |
---
|
|
|
e641e6 |
src/builder-flatpak-utils.c | 23 +++++++++++++++++++++--
|
|
|
e641e6 |
1 file changed, 21 insertions(+), 2 deletions(-)
|
|
|
e641e6 |
|
|
|
e641e6 |
diff --git a/src/builder-flatpak-utils.c b/src/builder-flatpak-utils.c
|
|
|
e641e6 |
index 53191016047f..89352cdc2fd5 100644
|
|
|
e641e6 |
--- a/src/builder-flatpak-utils.c
|
|
|
e641e6 |
+++ b/src/builder-flatpak-utils.c
|
|
|
e641e6 |
@@ -1196,6 +1196,7 @@ typedef enum {
|
|
|
e641e6 |
|
|
|
e641e6 |
/* In numerical order of more privs */
|
|
|
e641e6 |
typedef enum {
|
|
|
e641e6 |
+ FLATPAK_FILESYSTEM_MODE_NONE = 0,
|
|
|
e641e6 |
FLATPAK_FILESYSTEM_MODE_READ_ONLY = 1,
|
|
|
e641e6 |
FLATPAK_FILESYSTEM_MODE_READ_WRITE = 2,
|
|
|
e641e6 |
FLATPAK_FILESYSTEM_MODE_CREATE = 3,
|
|
|
e641e6 |
@@ -1770,6 +1771,13 @@ parse_filesystem_flags (const char *filesystem, FlatpakFilesystemMode *mode)
|
|
|
e641e6 |
if (mode)
|
|
|
e641e6 |
*mode = FLATPAK_FILESYSTEM_MODE_CREATE;
|
|
|
e641e6 |
}
|
|
|
e641e6 |
+ else if (g_str_equal (filesystem, "host:reset"))
|
|
|
e641e6 |
+ {
|
|
|
e641e6 |
+ filesystem = "host-reset";
|
|
|
e641e6 |
+
|
|
|
e641e6 |
+ if (mode)
|
|
|
e641e6 |
+ *mode = FLATPAK_FILESYSTEM_MODE_NONE;
|
|
|
e641e6 |
+ }
|
|
|
e641e6 |
|
|
|
e641e6 |
return g_strndup (filesystem, len);
|
|
|
e641e6 |
}
|
|
|
e641e6 |
@@ -1810,9 +1818,12 @@ static void
|
|
|
e641e6 |
flatpak_context_remove_filesystem (FlatpakContext *context,
|
|
|
e641e6 |
const char *what)
|
|
|
e641e6 |
{
|
|
|
e641e6 |
+ FlatpakFilesystemMode mode;
|
|
|
e641e6 |
+ g_autofree char *fs = parse_filesystem_flags (what, &mode);
|
|
|
e641e6 |
+
|
|
|
e641e6 |
g_hash_table_insert (context->filesystems,
|
|
|
e641e6 |
- parse_filesystem_flags (what, NULL),
|
|
|
e641e6 |
- NULL);
|
|
|
e641e6 |
+ g_steal_pointer (&fs),
|
|
|
e641e6 |
+ GINT_TO_POINTER (mode));
|
|
|
e641e6 |
}
|
|
|
e641e6 |
|
|
|
e641e6 |
static gboolean
|
|
|
e641e6 |
@@ -2222,11 +2233,19 @@ flatpak_context_to_args (FlatpakContext *context,
|
|
|
e641e6 |
g_ptr_array_add (args, g_strdup_printf ("--system-%s-name=%s", flatpak_policy_to_string (policy), name));
|
|
|
e641e6 |
}
|
|
|
e641e6 |
|
|
|
e641e6 |
+ if (g_hash_table_lookup_extended (context->filesystems, "host-reset", NULL, NULL))
|
|
|
e641e6 |
+ {
|
|
|
e641e6 |
+ g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset"));
|
|
|
e641e6 |
+ }
|
|
|
e641e6 |
+
|
|
|
e641e6 |
g_hash_table_iter_init (&iter, context->filesystems);
|
|
|
e641e6 |
while (g_hash_table_iter_next (&iter, &key, &value))
|
|
|
e641e6 |
{
|
|
|
e641e6 |
FlatpakFilesystemMode mode = GPOINTER_TO_INT (value);
|
|
|
e641e6 |
|
|
|
e641e6 |
+ if (g_str_equal (key, "host-reset"))
|
|
|
e641e6 |
+ continue;
|
|
|
e641e6 |
+
|
|
|
e641e6 |
if (mode == FLATPAK_FILESYSTEM_MODE_READ_ONLY)
|
|
|
e641e6 |
g_ptr_array_add (args, g_strdup_printf ("--filesystem=%s:ro", (char *)key));
|
|
|
e641e6 |
else if (mode == FLATPAK_FILESYSTEM_MODE_READ_WRITE)
|
|
|
e641e6 |
--
|
|
|
e641e6 |
2.35.1
|
|
|
e641e6 |
|