|
|
990548 |
From 86d9d711bdaada5677166a99b96b769df2c5e7b6 Mon Sep 17 00:00:00 2001
|
|
|
990548 |
From: Alexander Larsson <alexl@redhat.com>
|
|
|
990548 |
Date: Sun, 10 Feb 2019 18:23:44 +0100
|
|
|
990548 |
Subject: [PATCH] Don't expose /proc when running apply_extra
|
|
|
990548 |
|
|
|
990548 |
As shown by CVE-2019-5736, it is sometimes possible for the sandbox
|
|
|
990548 |
app to access outside files using /proc/self/exe. This is not
|
|
|
990548 |
typically an issue for flatpak as the sandbox runs as the user which
|
|
|
990548 |
has no permissions to e.g. modify the host files.
|
|
|
990548 |
|
|
|
990548 |
However, when installing apps using extra-data into the system repo
|
|
|
990548 |
we *do* actually run a sandbox as root. So, in this case we disable mounting
|
|
|
990548 |
/proc in the sandbox, which will neuter attacks like this.
|
|
|
990548 |
---
|
|
|
990548 |
common/flatpak-common-types-private.h | 1 +
|
|
|
990548 |
common/flatpak-dir.c | 2 +-
|
|
|
990548 |
common/flatpak-run.c | 6 +++++-
|
|
|
990548 |
3 files changed, 7 insertions(+), 2 deletions(-)
|
|
|
990548 |
|
|
|
990548 |
diff --git a/common/flatpak-common-types-private.h b/common/flatpak-common-types-private.h
|
|
|
990548 |
index 8c40d2e8..1e94bd1c 100644
|
|
|
990548 |
--- a/common/flatpak-common-types-private.h
|
|
|
990548 |
+++ b/common/flatpak-common-types-private.h
|
|
|
990548 |
@@ -44,6 +44,7 @@ typedef enum {
|
|
|
990548 |
FLATPAK_RUN_FLAG_SANDBOX = (1 << 14),
|
|
|
990548 |
FLATPAK_RUN_FLAG_NO_DOCUMENTS_PORTAL = (1 << 15),
|
|
|
990548 |
FLATPAK_RUN_FLAG_BLUETOOTH = (1 << 16),
|
|
|
990548 |
+ FLATPAK_RUN_FLAG_NO_PROC = (1 << 19),
|
|
|
990548 |
} FlatpakRunFlags;
|
|
|
990548 |
|
|
|
990548 |
typedef struct FlatpakDir FlatpakDir;
|
|
|
990548 |
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
|
|
|
990548 |
index eb69225d..be370d49 100644
|
|
|
990548 |
--- a/common/flatpak-dir.c
|
|
|
990548 |
+++ b/common/flatpak-dir.c
|
|
|
990548 |
@@ -6509,7 +6509,7 @@ apply_extra_data (FlatpakDir *self,
|
|
|
990548 |
NULL);
|
|
|
990548 |
|
|
|
990548 |
if (!flatpak_run_setup_base_argv (bwrap, runtime_files, NULL, runtime_ref_parts[2],
|
|
|
990548 |
- FLATPAK_RUN_FLAG_NO_SESSION_HELPER,
|
|
|
990548 |
+ FLATPAK_RUN_FLAG_NO_SESSION_HELPER | FLATPAK_RUN_FLAG_NO_PROC,
|
|
|
990548 |
error))
|
|
|
990548 |
return FALSE;
|
|
|
990548 |
|
|
|
990548 |
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
|
|
|
990548 |
index 6ab466af..b4f2c475 100644
|
|
|
990548 |
--- a/common/flatpak-run.c
|
|
|
990548 |
+++ b/common/flatpak-run.c
|
|
|
990548 |
@@ -2347,9 +2347,13 @@ flatpak_run_setup_base_argv (FlatpakBwrap *bwrap,
|
|
|
990548 |
"# Disable user pkcs11 config, because the host modules don't work in the runtime\n"
|
|
|
990548 |
"user-config: none\n";
|
|
|
990548 |
|
|
|
990548 |
+ if ((flags & FLATPAK_RUN_FLAG_NO_PROC) == 0)
|
|
|
990548 |
+ flatpak_bwrap_add_args (bwrap,
|
|
|
990548 |
+ "--proc", "/proc",
|
|
|
990548 |
+ NULL);
|
|
|
990548 |
+
|
|
|
990548 |
flatpak_bwrap_add_args (bwrap,
|
|
|
990548 |
"--unshare-pid",
|
|
|
990548 |
- "--proc", "/proc",
|
|
|
990548 |
"--dir", "/tmp",
|
|
|
990548 |
"--dir", "/var/tmp",
|
|
|
990548 |
"--dir", "/run/host",
|
|
|
990548 |
--
|
|
|
990548 |
2.20.1
|
|
|
990548 |
|