|
 |
109edb |
From 9cb5f1e465cf5a3e643caf7159e89530ae867be2 Mon Sep 17 00:00:00 2001
|
|
|
109edb |
From: Alexander Larsson <alexl@redhat.com>
|
|
|
109edb |
Date: Sun, 10 Feb 2019 18:23:44 +0100
|
|
|
109edb |
Subject: [PATCH] Don't expose /proc when running apply_extra
|
|
|
109edb |
|
|
|
109edb |
As shown by CVE-2019-5736, it is sometimes possible for the sandbox
|
|
|
109edb |
app to access outside files using /proc/self/exe. This is not
|
|
|
109edb |
typically an issue for flatpak as the sandbox runs as the user which
|
|
|
109edb |
has no permissions to e.g. modify the host files.
|
|
|
109edb |
|
|
|
109edb |
However, when installing apps using extra-data into the system repo
|
|
|
109edb |
we *do* actually run a sandbox as root. So, in this case we disable mounting
|
|
|
109edb |
/proc in the sandbox, which will neuter attacks like this.
|
|
|
109edb |
|
|
|
109edb |
(cherry picked from commit 468858c1cbcdbcb27266deb5c7347b37adf3a9e4)
|
|
|
109edb |
---
|
|
|
109edb |
common/flatpak-common-types-private.h | 1 +
|
|
|
109edb |
common/flatpak-dir.c | 2 +-
|
|
|
109edb |
common/flatpak-run.c | 6 +++++-
|
|
|
109edb |
3 files changed, 7 insertions(+), 2 deletions(-)
|
|
|
109edb |
|
|
|
109edb |
diff --git a/common/flatpak-common-types-private.h b/common/flatpak-common-types-private.h
|
|
|
109edb |
index e361777e1..b8f76b9c4 100644
|
|
|
109edb |
--- a/common/flatpak-common-types-private.h
|
|
|
109edb |
+++ b/common/flatpak-common-types-private.h
|
|
|
109edb |
@@ -45,6 +45,7 @@ typedef enum {
|
|
|
109edb |
FLATPAK_RUN_FLAG_NO_DOCUMENTS_PORTAL = (1 << 15),
|
|
|
109edb |
FLATPAK_RUN_FLAG_BLUETOOTH = (1 << 16),
|
|
|
109edb |
FLATPAK_RUN_FLAG_CANBUS = (1 << 17),
|
|
|
109edb |
+ FLATPAK_RUN_FLAG_NO_PROC = (1 << 19),
|
|
|
109edb |
} FlatpakRunFlags;
|
|
|
109edb |
|
|
|
109edb |
typedef struct FlatpakDir FlatpakDir;
|
|
|
109edb |
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
|
|
|
109edb |
index 0809a42be..7d44cfb4f 100644
|
|
|
109edb |
--- a/common/flatpak-dir.c
|
|
|
109edb |
+++ b/common/flatpak-dir.c
|
|
|
109edb |
@@ -6507,7 +6507,7 @@ apply_extra_data (FlatpakDir *self,
|
|
|
109edb |
NULL);
|
|
|
109edb |
|
|
|
109edb |
if (!flatpak_run_setup_base_argv (bwrap, runtime_files, NULL, runtime_ref_parts[2],
|
|
|
109edb |
- FLATPAK_RUN_FLAG_NO_SESSION_HELPER,
|
|
|
109edb |
+ FLATPAK_RUN_FLAG_NO_SESSION_HELPER | FLATPAK_RUN_FLAG_NO_PROC,
|
|
|
109edb |
error))
|
|
|
109edb |
return FALSE;
|
|
|
109edb |
|
|
|
109edb |
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
|
|
|
109edb |
index e8e55262e..ab167c00d 100644
|
|
|
109edb |
--- a/common/flatpak-run.c
|
|
|
109edb |
+++ b/common/flatpak-run.c
|
|
|
109edb |
@@ -2373,9 +2373,13 @@ flatpak_run_setup_base_argv (FlatpakBwrap *bwrap,
|
|
|
109edb |
"# Disable user pkcs11 config, because the host modules don't work in the runtime\n"
|
|
|
109edb |
"user-config: none\n";
|
|
|
109edb |
|
|
|
109edb |
+ if ((flags & FLATPAK_RUN_FLAG_NO_PROC) == 0)
|
|
|
109edb |
+ flatpak_bwrap_add_args (bwrap,
|
|
|
109edb |
+ "--proc", "/proc",
|
|
|
109edb |
+ NULL);
|
|
|
109edb |
+
|
|
|
109edb |
flatpak_bwrap_add_args (bwrap,
|
|
|
109edb |
"--unshare-pid",
|
|
|
109edb |
- "--proc", "/proc",
|
|
|
109edb |
"--dir", "/tmp",
|
|
|
109edb |
"--dir", "/var/tmp",
|
|
|
109edb |
"--dir", "/run/host",
|