From dd05ea86a4701a33cc4d271edf0a36b5c972e2e1 Mon Sep 17 00:00:00 2001

From: Simon McVittie <smcv@collabora.com>

Date: Mon, 17 Jan 2022 21:59:02 +0000

Subject: [PATCH 1/2] Disable filesystem access with --nofilesystem=host:reset

This requires <https://github.com/flatpak/flatpak/pull/4678>.

In addition to counteracting an earlier --filesystem=host, in Flatpak

versions that support it, the new --nofilesystem=host:reset removes all

filesystem access that might have been inherited from the app manifest

or overrides. This prevents CVE-2022-21682, while avoiding behaviour

changes in Flatpak for non-builder use cases.

In older Flatpak versions, this option acts as --filesystem=host with an

unknown mode suffix, which is ignored (with a warning, which is harmless

but will hopefully nudge people towards upgrading Flatpak to a version

that enables CVE-2022-21682 to be avoided). flatpak-builder will still

be vulnerable to CVE-2022-21682 in this case.

Signed-off-by: Simon McVittie <smcv@collabora.com>

(cherry picked from commit 2d1b6799e782d5e5577072aa7bbfed00ddf0b087)

---

 src/builder-main.c         | 2 +-

 src/builder-manifest.c     | 4 ++--

 src/builder-module.c       | 2 +-

 src/builder-source-shell.c | 2 +-

 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/builder-main.c b/src/builder-main.c

index a177f4b0c8b6..dc6f3e97603a 100644

--- a/src/builder-main.c

+++ b/src/builder-main.c

@@ -942,7 +942,7 @@ main (int    argc,

         "flatpak",

         "build",

         "--die-with-parent",

-        "--nofilesystem=host",

+        "--nofilesystem=host:reset",

         fs_app_dir,

         fs_cache,

         "--share=network",

diff --git a/src/builder-manifest.c b/src/builder-manifest.c

index 62e7096674fa..ae83e493db52 100644

--- a/src/builder-manifest.c

+++ b/src/builder-manifest.c

@@ -2124,7 +2124,7 @@ command (GFile      *app_dir,

   g_ptr_array_add (args, g_strdup ("build"));

   g_ptr_array_add (args, g_strdup ("--die-with-parent"));

-  g_ptr_array_add (args, g_strdup ("--nofilesystem=host"));

+  g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset"));

   if (extra_args)

     {

       for (i = 0; extra_args[i] != NULL; i++)

@@ -2304,7 +2304,7 @@ appstream_compose (GFile   *app_dir,

   g_ptr_array_add (args, g_strdup ("flatpak"));

   g_ptr_array_add (args, g_strdup ("build"));

   g_ptr_array_add (args, g_strdup ("--die-with-parent"));

-  g_ptr_array_add (args, g_strdup ("--nofilesystem=host"));

+  g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset"));

   g_ptr_array_add (args, g_file_get_path (app_dir));

   g_ptr_array_add (args, g_strdup ("appstream-compose"));

diff --git a/src/builder-module.c b/src/builder-module.c

index 8d1819a3e530..862c247e2fb2 100644

--- a/src/builder-module.c

+++ b/src/builder-module.c

@@ -1177,7 +1177,7 @@ setup_build_args (GFile          *app_dir,

     builddir = "/run/build/";

   g_ptr_array_add (args, g_strdup_printf ("--env=FLATPAK_BUILDER_BUILDDIR=%s%s", builddir, module_name));

-  g_ptr_array_add (args, g_strdup ("--nofilesystem=host"));

+  g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset"));

   /* We mount the canonical location, because bind-mounts of symlinks don't really work */

   g_ptr_array_add (args, g_strdup_printf ("--filesystem=%s", source_dir_path_canonical));

diff --git a/src/builder-source-shell.c b/src/builder-source-shell.c

index 152257b12476..8132a5c49d8a 100644

--- a/src/builder-source-shell.c

+++ b/src/builder-source-shell.c

@@ -136,7 +136,7 @@ run_script (BuilderContext *context,

   source_dir_path_canonical = realpath (source_dir_path, NULL);

-  g_ptr_array_add (args, g_strdup ("--nofilesystem=host"));

+  g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset"));

   g_ptr_array_add (args, g_strdup_printf ("--filesystem=%s", source_dir_path_canonical));

   if (env)

-- 

2.35.1

From 26cab8d7aae2146fa95cf5ad28e286f8034d97dc Mon Sep 17 00:00:00 2001

From: Alexander Larsson <alexl@redhat.com>

Date: Tue, 18 Jan 2022 09:58:29 +0100

Subject: [PATCH 2/2] Allow --nofilesystem=host:reset in flatpak-builder --run

This adds support for the new host:reset mode. We don't verify

that the argument is used as carefully as flatpak does, but any

issue will be reported later when passed to flatpak.

Co-authored-by: Simon McVittie <smcv@collabora.com>

(cherry picked from commit 27aa2f5e4508d03178bf905ee7099d6d69a79aa4)

---

 src/builder-flatpak-utils.c | 23 +++++++++++++++++++++--

 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/src/builder-flatpak-utils.c b/src/builder-flatpak-utils.c

index 53191016047f..89352cdc2fd5 100644

--- a/src/builder-flatpak-utils.c

+++ b/src/builder-flatpak-utils.c

@@ -1196,6 +1196,7 @@ typedef enum {

 /* In numerical order of more privs */

 typedef enum {

+  FLATPAK_FILESYSTEM_MODE_NONE         = 0,

   FLATPAK_FILESYSTEM_MODE_READ_ONLY    = 1,

   FLATPAK_FILESYSTEM_MODE_READ_WRITE   = 2,

   FLATPAK_FILESYSTEM_MODE_CREATE       = 3,

@@ -1770,6 +1771,13 @@ parse_filesystem_flags (const char *filesystem, FlatpakFilesystemMode *mode)

       if (mode)

         *mode = FLATPAK_FILESYSTEM_MODE_CREATE;

     }

+  else if (g_str_equal (filesystem, "host:reset"))

+    {

+      filesystem = "host-reset";

+

+      if (mode)

+        *mode = FLATPAK_FILESYSTEM_MODE_NONE;

+    }

   return g_strndup (filesystem, len);

 }

@@ -1810,9 +1818,12 @@ static void

 flatpak_context_remove_filesystem (FlatpakContext *context,

                                    const char     *what)

 {

+  FlatpakFilesystemMode mode;

+  g_autofree char *fs = parse_filesystem_flags (what, &mode);

+

   g_hash_table_insert (context->filesystems,

-                       parse_filesystem_flags (what, NULL),

-                       NULL);

+                       g_steal_pointer (&fs),

+                       GINT_TO_POINTER (mode));

 }

 static gboolean

@@ -2222,11 +2233,19 @@ flatpak_context_to_args (FlatpakContext *context,

       g_ptr_array_add (args, g_strdup_printf ("--system-%s-name=%s", flatpak_policy_to_string (policy), name));

     }

+  if (g_hash_table_lookup_extended (context->filesystems, "host-reset", NULL, NULL))

+    {

+      g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset"));

+    }

+

   g_hash_table_iter_init (&iter, context->filesystems);

   while (g_hash_table_iter_next (&iter, &key, &value))

     {

       FlatpakFilesystemMode mode = GPOINTER_TO_INT (value);

+      if (g_str_equal (key, "host-reset"))

+        continue;

+

       if (mode == FLATPAK_FILESYSTEM_MODE_READ_ONLY)

         g_ptr_array_add (args, g_strdup_printf ("--filesystem=%s:ro", (char *)key));

       else if (mode == FLATPAK_FILESYSTEM_MODE_READ_WRITE)

-- 

2.35.1