From 86d9d711bdaada5677166a99b96b769df2c5e7b6 Mon Sep 17 00:00:00 2001
From: Alexander Larsson <alexl@redhat.com>
Date: Sun, 10 Feb 2019 18:23:44 +0100
Subject: [PATCH] Don't expose /proc when running apply_extra
As shown by CVE-2019-5736, it is sometimes possible for the sandbox
app to access outside files using /proc/self/exe. This is not
typically an issue for flatpak as the sandbox runs as the user which
has no permissions to e.g. modify the host files.
However, when installing apps using extra-data into the system repo
we *do* actually run a sandbox as root. So, in this case we disable mounting
/proc in the sandbox, which will neuter attacks like this.
---
common/flatpak-common-types-private.h | 1 +
common/flatpak-dir.c | 2 +-
common/flatpak-run.c | 6 +++++-
3 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/common/flatpak-common-types-private.h b/common/flatpak-common-types-private.h
index 8c40d2e8..1e94bd1c 100644
--- a/common/flatpak-common-types-private.h
+++ b/common/flatpak-common-types-private.h
@@ -44,6 +44,7 @@ typedef enum {
FLATPAK_RUN_FLAG_SANDBOX = (1 << 14),
FLATPAK_RUN_FLAG_NO_DOCUMENTS_PORTAL = (1 << 15),
FLATPAK_RUN_FLAG_BLUETOOTH = (1 << 16),
+ FLATPAK_RUN_FLAG_NO_PROC = (1 << 19),
} FlatpakRunFlags;
typedef struct FlatpakDir FlatpakDir;
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
index eb69225d..be370d49 100644
--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
@@ -6509,7 +6509,7 @@ apply_extra_data (FlatpakDir *self,
NULL);
if (!flatpak_run_setup_base_argv (bwrap, runtime_files, NULL, runtime_ref_parts[2],
- FLATPAK_RUN_FLAG_NO_SESSION_HELPER,
+ FLATPAK_RUN_FLAG_NO_SESSION_HELPER | FLATPAK_RUN_FLAG_NO_PROC,
error))
return FALSE;
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index 6ab466af..b4f2c475 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -2347,9 +2347,13 @@ flatpak_run_setup_base_argv (FlatpakBwrap *bwrap,
"# Disable user pkcs11 config, because the host modules don't work in the runtime\n"
"user-config: none\n";
+ if ((flags & FLATPAK_RUN_FLAG_NO_PROC) == 0)
+ flatpak_bwrap_add_args (bwrap,
+ "--proc", "/proc",
+ NULL);
+
flatpak_bwrap_add_args (bwrap,
"--unshare-pid",
- "--proc", "/proc",
"--dir", "/tmp",
"--dir", "/var/tmp",
"--dir", "/run/host",
--
2.20.1