From dd05ea86a4701a33cc4d271edf0a36b5c972e2e1 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Mon, 17 Jan 2022 21:59:02 +0000 Subject: [PATCH 1/2] Disable filesystem access with --nofilesystem=host:reset This requires . In addition to counteracting an earlier --filesystem=host, in Flatpak versions that support it, the new --nofilesystem=host:reset removes all filesystem access that might have been inherited from the app manifest or overrides. This prevents CVE-2022-21682, while avoiding behaviour changes in Flatpak for non-builder use cases. In older Flatpak versions, this option acts as --filesystem=host with an unknown mode suffix, which is ignored (with a warning, which is harmless but will hopefully nudge people towards upgrading Flatpak to a version that enables CVE-2022-21682 to be avoided). flatpak-builder will still be vulnerable to CVE-2022-21682 in this case. Signed-off-by: Simon McVittie (cherry picked from commit 2d1b6799e782d5e5577072aa7bbfed00ddf0b087) --- src/builder-main.c | 2 +- src/builder-manifest.c | 4 ++-- src/builder-module.c | 2 +- src/builder-source-shell.c | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/builder-main.c b/src/builder-main.c index a177f4b0c8b6..dc6f3e97603a 100644 --- a/src/builder-main.c +++ b/src/builder-main.c @@ -942,7 +942,7 @@ main (int argc, "flatpak", "build", "--die-with-parent", - "--nofilesystem=host", + "--nofilesystem=host:reset", fs_app_dir, fs_cache, "--share=network", diff --git a/src/builder-manifest.c b/src/builder-manifest.c index 62e7096674fa..ae83e493db52 100644 --- a/src/builder-manifest.c +++ b/src/builder-manifest.c @@ -2124,7 +2124,7 @@ command (GFile *app_dir, g_ptr_array_add (args, g_strdup ("build")); g_ptr_array_add (args, g_strdup ("--die-with-parent")); - g_ptr_array_add (args, g_strdup ("--nofilesystem=host")); + g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset")); if (extra_args) { for (i = 0; extra_args[i] != NULL; i++) @@ -2304,7 +2304,7 @@ appstream_compose (GFile *app_dir, g_ptr_array_add (args, g_strdup ("flatpak")); g_ptr_array_add (args, g_strdup ("build")); g_ptr_array_add (args, g_strdup ("--die-with-parent")); - g_ptr_array_add (args, g_strdup ("--nofilesystem=host")); + g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset")); g_ptr_array_add (args, g_file_get_path (app_dir)); g_ptr_array_add (args, g_strdup ("appstream-compose")); diff --git a/src/builder-module.c b/src/builder-module.c index 8d1819a3e530..862c247e2fb2 100644 --- a/src/builder-module.c +++ b/src/builder-module.c @@ -1177,7 +1177,7 @@ setup_build_args (GFile *app_dir, builddir = "/run/build/"; g_ptr_array_add (args, g_strdup_printf ("--env=FLATPAK_BUILDER_BUILDDIR=%s%s", builddir, module_name)); - g_ptr_array_add (args, g_strdup ("--nofilesystem=host")); + g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset")); /* We mount the canonical location, because bind-mounts of symlinks don't really work */ g_ptr_array_add (args, g_strdup_printf ("--filesystem=%s", source_dir_path_canonical)); diff --git a/src/builder-source-shell.c b/src/builder-source-shell.c index 152257b12476..8132a5c49d8a 100644 --- a/src/builder-source-shell.c +++ b/src/builder-source-shell.c @@ -136,7 +136,7 @@ run_script (BuilderContext *context, source_dir_path_canonical = realpath (source_dir_path, NULL); - g_ptr_array_add (args, g_strdup ("--nofilesystem=host")); + g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset")); g_ptr_array_add (args, g_strdup_printf ("--filesystem=%s", source_dir_path_canonical)); if (env) -- 2.35.1 From 26cab8d7aae2146fa95cf5ad28e286f8034d97dc Mon Sep 17 00:00:00 2001 From: Alexander Larsson Date: Tue, 18 Jan 2022 09:58:29 +0100 Subject: [PATCH 2/2] Allow --nofilesystem=host:reset in flatpak-builder --run This adds support for the new host:reset mode. We don't verify that the argument is used as carefully as flatpak does, but any issue will be reported later when passed to flatpak. Co-authored-by: Simon McVittie (cherry picked from commit 27aa2f5e4508d03178bf905ee7099d6d69a79aa4) --- src/builder-flatpak-utils.c | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/src/builder-flatpak-utils.c b/src/builder-flatpak-utils.c index 53191016047f..89352cdc2fd5 100644 --- a/src/builder-flatpak-utils.c +++ b/src/builder-flatpak-utils.c @@ -1196,6 +1196,7 @@ typedef enum { /* In numerical order of more privs */ typedef enum { + FLATPAK_FILESYSTEM_MODE_NONE = 0, FLATPAK_FILESYSTEM_MODE_READ_ONLY = 1, FLATPAK_FILESYSTEM_MODE_READ_WRITE = 2, FLATPAK_FILESYSTEM_MODE_CREATE = 3, @@ -1770,6 +1771,13 @@ parse_filesystem_flags (const char *filesystem, FlatpakFilesystemMode *mode) if (mode) *mode = FLATPAK_FILESYSTEM_MODE_CREATE; } + else if (g_str_equal (filesystem, "host:reset")) + { + filesystem = "host-reset"; + + if (mode) + *mode = FLATPAK_FILESYSTEM_MODE_NONE; + } return g_strndup (filesystem, len); } @@ -1810,9 +1818,12 @@ static void flatpak_context_remove_filesystem (FlatpakContext *context, const char *what) { + FlatpakFilesystemMode mode; + g_autofree char *fs = parse_filesystem_flags (what, &mode); + g_hash_table_insert (context->filesystems, - parse_filesystem_flags (what, NULL), - NULL); + g_steal_pointer (&fs), + GINT_TO_POINTER (mode)); } static gboolean @@ -2222,11 +2233,19 @@ flatpak_context_to_args (FlatpakContext *context, g_ptr_array_add (args, g_strdup_printf ("--system-%s-name=%s", flatpak_policy_to_string (policy), name)); } + if (g_hash_table_lookup_extended (context->filesystems, "host-reset", NULL, NULL)) + { + g_ptr_array_add (args, g_strdup ("--nofilesystem=host:reset")); + } + g_hash_table_iter_init (&iter, context->filesystems); while (g_hash_table_iter_next (&iter, &key, &value)) { FlatpakFilesystemMode mode = GPOINTER_TO_INT (value); + if (g_str_equal (key, "host-reset")) + continue; + if (mode == FLATPAK_FILESYSTEM_MODE_READ_ONLY) g_ptr_array_add (args, g_strdup_printf ("--filesystem=%s:ro", (char *)key)); else if (mode == FLATPAK_FILESYSTEM_MODE_READ_WRITE) -- 2.35.1