From 57e97e2a488c99feedc69e9a8e4bfe7f07d9299e Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 09 2021 19:29:14 +0000 Subject: import flatpak-1.8.5-5.el8_5 --- diff --git a/SOURCES/flatpak-1.8.5-fix-CVE-2021-41133.patch b/SOURCES/flatpak-1.8.5-fix-CVE-2021-41133.patch new file mode 100644 index 0000000..0eb4264 --- /dev/null +++ b/SOURCES/flatpak-1.8.5-fix-CVE-2021-41133.patch @@ -0,0 +1,818 @@ +From e49dee0f37e0264ecd55b86832955d8b98d0d74d Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Wed, 1 Sep 2021 11:53:23 +0100 +Subject: [PATCH 01/11] run: Add an errno value to seccomp filters + +At the moment, if we block a syscall we always make it fail with EPERM, +but this is risky: user-space libraries can start to use new replacements +for old syscalls at any time, and will often treat EPERM as a fatal error. +For new syscalls, we should make the syscall fail with ENOSYS, which is +indistinguishable from running on an older kernel and will cause fallback +to an older implementation, for example clone3() to clone(). + +In future we should probably move from EPERM to ENOSYS for some of the +syscalls we already block, but for now keep the status quo. + +This is a prerequisite for fixing the vulnerability tracked as +GHSA-67h7-w3jq-vh4q. + +Signed-off-by: Simon McVittie +--- + common/flatpak-run.c | 62 +++++++++++++++++++++++++------------------- + 1 file changed, 36 insertions(+), 26 deletions(-) + +diff --git a/common/flatpak-run.c b/common/flatpak-run.c +index 3e26710009f9..14212e1f6e55 100644 +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -2623,61 +2623,63 @@ setup_seccomp (FlatpakBwrap *bwrap, + struct + { + int scall; ++ int errnum; + struct scmp_arg_cmp *arg; + } syscall_blocklist[] = { + /* Block dmesg */ +- {SCMP_SYS (syslog)}, ++ {SCMP_SYS (syslog), EPERM}, + /* Useless old syscall */ +- {SCMP_SYS (uselib)}, ++ {SCMP_SYS (uselib), EPERM}, + /* Don't allow disabling accounting */ +- {SCMP_SYS (acct)}, ++ {SCMP_SYS (acct), EPERM}, + /* 16-bit code is unnecessary in the sandbox, and modify_ldt is a + historic source of interesting information leaks. */ +- {SCMP_SYS (modify_ldt)}, ++ {SCMP_SYS (modify_ldt), EPERM}, + /* Don't allow reading current quota use */ +- {SCMP_SYS (quotactl)}, ++ {SCMP_SYS (quotactl), EPERM}, + + /* Don't allow access to the kernel keyring */ +- {SCMP_SYS (add_key)}, +- {SCMP_SYS (keyctl)}, +- {SCMP_SYS (request_key)}, ++ {SCMP_SYS (add_key), EPERM}, ++ {SCMP_SYS (keyctl), EPERM}, ++ {SCMP_SYS (request_key), EPERM}, + + /* Scary VM/NUMA ops */ +- {SCMP_SYS (move_pages)}, +- {SCMP_SYS (mbind)}, +- {SCMP_SYS (get_mempolicy)}, +- {SCMP_SYS (set_mempolicy)}, +- {SCMP_SYS (migrate_pages)}, ++ {SCMP_SYS (move_pages), EPERM}, ++ {SCMP_SYS (mbind), EPERM}, ++ {SCMP_SYS (get_mempolicy), EPERM}, ++ {SCMP_SYS (set_mempolicy), EPERM}, ++ {SCMP_SYS (migrate_pages), EPERM}, + + /* Don't allow subnamespace setups: */ +- {SCMP_SYS (unshare)}, +- {SCMP_SYS (mount)}, +- {SCMP_SYS (pivot_root)}, ++ {SCMP_SYS (unshare), EPERM}, ++ {SCMP_SYS (mount), EPERM}, ++ {SCMP_SYS (pivot_root), EPERM}, + #if defined(__s390__) || defined(__s390x__) || defined(__CRIS__) + /* Architectures with CONFIG_CLONE_BACKWARDS2: the child stack + * and flags arguments are reversed so the flags come second */ +- {SCMP_SYS (clone), &SCMP_A1 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)}, ++ {SCMP_SYS (clone), EPERM, &SCMP_A1 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)}, + #else + /* Normally the flags come first */ +- {SCMP_SYS (clone), &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)}, ++ {SCMP_SYS (clone), EPERM, &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)}, + #endif + + /* Don't allow faking input to the controlling tty (CVE-2017-5226) */ +- {SCMP_SYS (ioctl), &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)}, ++ {SCMP_SYS (ioctl), EPERM, &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)}, + }; + + struct + { + int scall; ++ int errnum; + struct scmp_arg_cmp *arg; + } syscall_nondevel_blocklist[] = { + /* Profiling operations; we expect these to be done by tools from outside + * the sandbox. In particular perf has been the source of many CVEs. + */ +- {SCMP_SYS (perf_event_open)}, ++ {SCMP_SYS (perf_event_open), EPERM}, + /* Don't allow you to switch to bsd emulation or whatnot */ +- {SCMP_SYS (personality), &SCMP_A0 (SCMP_CMP_NE, allowed_personality)}, +- {SCMP_SYS (ptrace)} ++ {SCMP_SYS (personality), EPERM, &SCMP_A0 (SCMP_CMP_NE, allowed_personality)}, ++ {SCMP_SYS (ptrace), EPERM} + }; + /* Blocklist all but unix, inet, inet6 and netlink */ + struct +@@ -2762,10 +2764,14 @@ setup_seccomp (FlatpakBwrap *bwrap, + for (i = 0; i < G_N_ELEMENTS (syscall_blocklist); i++) + { + int scall = syscall_blocklist[i].scall; ++ int errnum = syscall_blocklist[i].errnum; ++ ++ g_return_val_if_fail (errnum == EPERM || errnum == ENOSYS, FALSE); ++ + if (syscall_blocklist[i].arg) +- r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (EPERM), scall, 1, *syscall_blocklist[i].arg); ++ r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 1, *syscall_blocklist[i].arg); + else +- r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (EPERM), scall, 0); ++ r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0); + if (r < 0 && r == -EFAULT /* unknown syscall */) + return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall); + } +@@ -2775,10 +2781,14 @@ setup_seccomp (FlatpakBwrap *bwrap, + for (i = 0; i < G_N_ELEMENTS (syscall_nondevel_blocklist); i++) + { + int scall = syscall_nondevel_blocklist[i].scall; ++ int errnum = syscall_nondevel_blocklist[i].errnum; ++ ++ g_return_val_if_fail (errnum == EPERM || errnum == ENOSYS, FALSE); ++ + if (syscall_nondevel_blocklist[i].arg) +- r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (EPERM), scall, 1, *syscall_nondevel_blocklist[i].arg); ++ r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 1, *syscall_nondevel_blocklist[i].arg); + else +- r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (EPERM), scall, 0); ++ r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0); + + if (r < 0 && r == -EFAULT /* unknown syscall */) + return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall); +-- +2.31.1 + + +From 0f1fbc35a6c3d17465614427fadaf9866984a297 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Wed, 1 Sep 2021 12:44:04 +0100 +Subject: [PATCH 02/11] run: Add cross-references for some other seccomp + syscall filters + +Signed-off-by: Simon McVittie +--- + common/flatpak-run.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/common/flatpak-run.c b/common/flatpak-run.c +index 14212e1f6e55..d51e535b822f 100644 +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -2618,6 +2618,10 @@ setup_seccomp (FlatpakBwrap *bwrap, + * https://git.gnome.org/browse/linux-user-chroot + * in src/setup-seccomp.c + * ++ * Other useful resources: ++ * https://github.com/systemd/systemd/blob/HEAD/src/shared/seccomp-util.c ++ * https://github.com/moby/moby/blob/HEAD/profiles/seccomp/default.json ++ * + **** END NOTE ON CODE SHARING + */ + struct +-- +2.31.1 + + +From 5dcb1f731c6dacf85ad5ea61230f049cbf2b3bbf Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Wed, 1 Sep 2021 14:17:04 +0100 +Subject: [PATCH 03/11] common: Add a list of recently-added Linux syscalls + +Historically, syscalls could take arbitrarily-different values on +different architectures, but new syscalls are added with syscall numbers +that align on each architecture. + +Signed-off-by: Simon McVittie +--- + common/Makefile.am.inc | 1 + + common/flatpak-run.c | 2 + + common/flatpak-syscalls-private.h | 197 ++++++++++++++++++++++++++++++ + 3 files changed, 200 insertions(+) + create mode 100644 common/flatpak-syscalls-private.h + +diff --git a/common/Makefile.am.inc b/common/Makefile.am.inc +index 82d85ad78724..599146ab00b9 100644 +--- a/common/Makefile.am.inc ++++ b/common/Makefile.am.inc +@@ -153,6 +153,7 @@ libflatpak_common_la_SOURCES = \ + common/flatpak-remote.c \ + common/flatpak-run-private.h \ + common/flatpak-run.c \ ++ common/flatpak-syscalls-private.h \ + common/flatpak-transaction-private.h \ + common/flatpak-transaction.c \ + common/flatpak-transaction.h \ +diff --git a/common/flatpak-run.c b/common/flatpak-run.c +index d51e535b822f..7015b11a07fe 100644 +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -41,6 +41,8 @@ + #include + #endif + ++#include "flatpak-syscalls-private.h" ++ + #ifdef ENABLE_SECCOMP + #include + #endif +diff --git a/common/flatpak-syscalls-private.h b/common/flatpak-syscalls-private.h +new file mode 100644 +index 000000000000..04eb38ce3631 +--- /dev/null ++++ b/common/flatpak-syscalls-private.h +@@ -0,0 +1,197 @@ ++/* ++ * Copyright 2021 Collabora Ltd. ++ * SPDX-License-Identifier: LGPL-2.1-or-later ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2.1 of the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with this library. If not, see . ++ */ ++ ++#pragma once ++ ++#include ++ ++#if defined(_MIPS_SIM) ++# if _MIPS_SIM == _MIPS_SIM_ABI32 ++# define FLATPAK_MISSING_SYSCALL_BASE 4000 ++# elif _MIPS_SIM == _MIPS_SIM_ABI64 ++# define FLATPAK_MISSING_SYSCALL_BASE 5000 ++# elif _MIPS_SIM == _MIPS_SIM_NABI32 ++# define FLATPAK_MISSING_SYSCALL_BASE 6000 ++# else ++# error "Unknown MIPS ABI" ++# endif ++#endif ++ ++#if defined(__ia64__) ++# define FLATPAK_MISSING_SYSCALL_BASE 1024 ++#endif ++ ++#if defined(__alpha__) ++# define FLATPAK_MISSING_SYSCALL_BASE 110 ++#endif ++ ++#if defined(__x86_64__) && defined(__ILP32__) ++# define FLATPAK_MISSING_SYSCALL_BASE 0x40000000 ++#endif ++ ++/* ++ * FLATPAK_MISSING_SYSCALL_BASE: ++ * ++ * Number to add to the syscall numbers of recently-added syscalls ++ * to get the appropriate syscall for the current ABI. ++ */ ++#ifndef FLATPAK_MISSING_SYSCALL_BASE ++# define FLATPAK_MISSING_SYSCALL_BASE 0 ++#endif ++ ++#ifndef __NR_open_tree ++# define __NR_open_tree (FLATPAK_MISSING_SYSCALL_BASE + 428) ++#endif ++#ifndef __SNR_open_tree ++# define __SNR_open_tree __NR_open_tree ++#endif ++ ++#ifndef __NR_move_mount ++# define __NR_move_mount (FLATPAK_MISSING_SYSCALL_BASE + 429) ++#endif ++#ifndef __SNR_move_mount ++# define __SNR_move_mount __NR_move_mount ++#endif ++ ++#ifndef __NR_fsopen ++# define __NR_fsopen (FLATPAK_MISSING_SYSCALL_BASE + 430) ++#endif ++#ifndef __SNR_fsopen ++# define __SNR_fsopen __NR_fsopen ++#endif ++ ++#ifndef __NR_fsconfig ++# define __NR_fsconfig (FLATPAK_MISSING_SYSCALL_BASE + 431) ++#endif ++#ifndef __SNR_fsconfig ++# define __SNR_fsconfig __NR_fsconfig ++#endif ++ ++#ifndef __NR_fsmount ++# define __NR_fsmount (FLATPAK_MISSING_SYSCALL_BASE + 432) ++#endif ++#ifndef __SNR_fsmount ++# define __SNR_fsmount __NR_fsmount ++#endif ++ ++#ifndef __NR_fspick ++# define __NR_fspick (FLATPAK_MISSING_SYSCALL_BASE + 433) ++#endif ++#ifndef __SNR_fspick ++# define __SNR_fspick __NR_fspick ++#endif ++ ++#ifndef __NR_pidfd_open ++# define __NR_pidfd_open (FLATPAK_MISSING_SYSCALL_BASE + 434) ++#endif ++#ifndef __SNR_pidfd_open ++# define __SNR_pidfd_open __NR_pidfd_open ++#endif ++ ++#ifndef __NR_clone3 ++# define __NR_clone3 (FLATPAK_MISSING_SYSCALL_BASE + 435) ++#endif ++#ifndef __SNR_clone3 ++# define __SNR_clone3 __NR_clone3 ++#endif ++ ++#ifndef __NR_close_range ++# define __NR_close_range (FLATPAK_MISSING_SYSCALL_BASE + 436) ++#endif ++#ifndef __SNR_close_range ++# define __SNR_close_range __NR_close_range ++#endif ++ ++#ifndef __NR_openat2 ++# define __NR_openat2 (FLATPAK_MISSING_SYSCALL_BASE + 437) ++#endif ++#ifndef __SNR_openat2 ++# define __SNR_openat2 __NR_openat2 ++#endif ++ ++#ifndef __NR_pidfd_getfd ++# define __NR_pidfd_getfd (FLATPAK_MISSING_SYSCALL_BASE + 438) ++#endif ++#ifndef __SNR_pidfd_getfd ++# define __SNR_pidfd_getfd __NR_pidfd_getfd ++#endif ++ ++#ifndef __NR_faccessat2 ++# define __NR_faccessat2 (FLATPAK_MISSING_SYSCALL_BASE + 439) ++#endif ++#ifndef __SNR_faccessat2 ++# define __SNR_faccessat2 __NR_faccessat2 ++#endif ++ ++#ifndef __NR_process_madvise ++# define __NR_process_madvise (FLATPAK_MISSING_SYSCALL_BASE + 440) ++#endif ++#ifndef __SNR_process_madvise ++# define __SNR_process_madvise __NR_process_madvise ++#endif ++ ++#ifndef __NR_epoll_pwait2 ++# define __NR_epoll_pwait2 (FLATPAK_MISSING_SYSCALL_BASE + 441) ++#endif ++#ifndef __SNR_epoll_pwait2 ++# define __SNR_epoll_pwait2 __NR_epoll_pwait2 ++#endif ++ ++#ifndef __NR_mount_setattr ++# define __NR_mount_setattr (FLATPAK_MISSING_SYSCALL_BASE + 442) ++#endif ++#ifndef __SNR_mount_setattr ++# define __SNR_mount_setattr __NR_mount_setattr ++#endif ++ ++#ifndef __NR_quotactl_fd ++# define __NR_quotactl_fd (FLATPAK_MISSING_SYSCALL_BASE + 443) ++#endif ++#ifndef __SNR_quotactl_fd ++# define __SNR_quotactl_fd __NR_quotactl_fd ++#endif ++ ++#ifndef __NR_landlock_create_ruleset ++# define __NR_landlock_create_ruleset (FLATPAK_MISSING_SYSCALL_BASE + 444) ++#endif ++#ifndef __SNR_landlock_create_ruleset ++# define __SNR_landlock_create_ruleset __NR_landlock_create_ruleset ++#endif ++ ++#ifndef __NR_landlock_add_rule ++# define __NR_landlock_add_rule (FLATPAK_MISSING_SYSCALL_BASE + 445) ++#endif ++#ifndef __SNR_landlock_add_rule ++# define __SNR_landlock_add_rule __NR_landlock_add_rule ++#endif ++ ++#ifndef __NR_landlock_restrict_self ++# define __NR_landlock_restrict_self (FLATPAK_MISSING_SYSCALL_BASE + 446) ++#endif ++#ifndef __SNR_landlock_restrict_self ++# define __SNR_landlock_restrict_self __NR_landlock_restrict_self ++#endif ++ ++#ifndef __NR_memfd_secret ++# define __NR_memfd_secret (FLATPAK_MISSING_SYSCALL_BASE + 447) ++#endif ++#ifndef __SNR_memfd_secret ++# define __SNR_memfd_secret __NR_memfd_secret ++#endif ++ ++/* Last updated: Linux 5.14, syscall numbers < 448 */ +-- +2.31.1 + + +From 2965b7fa2de4ff13b712dd6ffa7e77bfb431530c Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Wed, 1 Sep 2021 11:59:00 +0100 +Subject: [PATCH 04/11] run: Block clone3() in sandbox + +clone3() can be used to implement clone() with CLONE_NEWUSER, allowing +a sandboxed process to get CAP_SYS_ADMIN in a new namespace and +manipulate its root directory. We need to block this so that AF_UNIX-based +socket servers (X11, Wayland, etc.) can rely on +/proc/PID/root/.flatpak-info existing for all Flatpak-sandboxed apps. + +Partially fixes GHSA-67h7-w3jq-vh4q. + +Thanks: an anonymous reporter +Signed-off-by: Simon McVittie +--- + common/flatpak-run.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/common/flatpak-run.c b/common/flatpak-run.c +index 7015b11a07fe..25b3ca40a65a 100644 +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -2671,6 +2671,12 @@ setup_seccomp (FlatpakBwrap *bwrap, + + /* Don't allow faking input to the controlling tty (CVE-2017-5226) */ + {SCMP_SYS (ioctl), EPERM, &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)}, ++ ++ /* seccomp can't look into clone3()'s struct clone_args to check whether ++ * the flags are OK, so we have no choice but to block clone3(). ++ * Return ENOSYS so user-space will fall back to clone(). ++ * (GHSA-67h7-w3jq-vh4q; see also https://github.com/moby/moby/commit/9f6b562d) */ ++ {SCMP_SYS (clone3), ENOSYS}, + }; + + struct +-- +2.31.1 + + +From 8dd2c81f79e364f485b708e6170a4dbb5c0379d4 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Wed, 1 Sep 2021 12:45:54 +0100 +Subject: [PATCH 05/11] run: Disallow recently-added mount-manipulation + syscalls + +If we don't allow mount() then we shouldn't allow these either. + +Partially fixes GHSA-67h7-w3jq-vh4q. + +Thanks: an anonymous reporter +Signed-off-by: Simon McVittie +--- + common/flatpak-run.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/common/flatpak-run.c b/common/flatpak-run.c +index 25b3ca40a65a..a06f75690528 100644 +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -2677,6 +2677,18 @@ setup_seccomp (FlatpakBwrap *bwrap, + * Return ENOSYS so user-space will fall back to clone(). + * (GHSA-67h7-w3jq-vh4q; see also https://github.com/moby/moby/commit/9f6b562d) */ + {SCMP_SYS (clone3), ENOSYS}, ++ ++ /* New mount manipulation APIs can also change our VFS. There's no ++ * legitimate reason to do these in the sandbox, so block all of them ++ * rather than thinking about which ones might be dangerous. ++ * (GHSA-67h7-w3jq-vh4q) */ ++ {SCMP_SYS (open_tree), ENOSYS}, ++ {SCMP_SYS (move_mount), ENOSYS}, ++ {SCMP_SYS (fsopen), ENOSYS}, ++ {SCMP_SYS (fsconfig), ENOSYS}, ++ {SCMP_SYS (fsmount), ENOSYS}, ++ {SCMP_SYS (fspick), ENOSYS}, ++ {SCMP_SYS (mount_setattr), ENOSYS}, + }; + + struct +-- +2.31.1 + + +From d448d643d0c5a0b315bbc4eccc605c1afcde8111 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Wed, 1 Sep 2021 14:19:31 +0100 +Subject: [PATCH 06/11] run: Block setns() + +If we don't allow unshare() or clone() with CLONE_NEWUSER, we also +shouldn't allow joining an existing (but different) namespace. + +Partially fixes GHSA-67h7-w3jq-vh4q. + +Signed-off-by: Simon McVittie +--- + common/flatpak-run.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/common/flatpak-run.c b/common/flatpak-run.c +index a06f75690528..09ab8369bcf2 100644 +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -2658,6 +2658,7 @@ setup_seccomp (FlatpakBwrap *bwrap, + + /* Don't allow subnamespace setups: */ + {SCMP_SYS (unshare), EPERM}, ++ {SCMP_SYS (setns), EPERM}, + {SCMP_SYS (mount), EPERM}, + {SCMP_SYS (pivot_root), EPERM}, + #if defined(__s390__) || defined(__s390x__) || defined(__CRIS__) +-- +2.31.1 + + +From c553d29a6d2402489fe2aab2e1fd7f27ffc0ba89 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Wed, 1 Sep 2021 14:20:29 +0100 +Subject: [PATCH 07/11] run: Don't allow unmounting filesystems + +If we don't allow mounting filesystems, we shouldn't allow unmounting +either. + +Partially fixes GHSA-67h7-w3jq-vh4q. + +Signed-off-by: Simon McVittie +--- + common/flatpak-run.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/common/flatpak-run.c b/common/flatpak-run.c +index 09ab8369bcf2..d298f91804ff 100644 +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -2660,6 +2660,8 @@ setup_seccomp (FlatpakBwrap *bwrap, + {SCMP_SYS (unshare), EPERM}, + {SCMP_SYS (setns), EPERM}, + {SCMP_SYS (mount), EPERM}, ++ {SCMP_SYS (umount), EPERM}, ++ {SCMP_SYS (umount2), EPERM}, + {SCMP_SYS (pivot_root), EPERM}, + #if defined(__s390__) || defined(__s390x__) || defined(__CRIS__) + /* Architectures with CONFIG_CLONE_BACKWARDS2: the child stack +-- +2.31.1 + + +From 0b85038cd1bd2fba41225fa2180ee3cbbde68ee9 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Wed, 1 Sep 2021 14:21:04 +0100 +Subject: [PATCH 08/11] run: Don't allow chroot() + +If we don't allow pivot_root() then there seems no reason why we should +allow chroot(). + +Partially fixes GHSA-67h7-w3jq-vh4q. + +Signed-off-by: Simon McVittie +--- + common/flatpak-run.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/common/flatpak-run.c b/common/flatpak-run.c +index d298f91804ff..9b3648065b82 100644 +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -2663,6 +2663,7 @@ setup_seccomp (FlatpakBwrap *bwrap, + {SCMP_SYS (umount), EPERM}, + {SCMP_SYS (umount2), EPERM}, + {SCMP_SYS (pivot_root), EPERM}, ++ {SCMP_SYS (chroot), EPERM}, + #if defined(__s390__) || defined(__s390x__) || defined(__CRIS__) + /* Architectures with CONFIG_CLONE_BACKWARDS2: the child stack + * and flags arguments are reversed so the flags come second */ +-- +2.31.1 + + +From f0e2093275199ec6ff023c332f012f42615e9f8f Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Fri, 8 Oct 2021 17:05:07 +0100 +Subject: [PATCH 09/11] run: Handle unknown syscalls as intended + +The error-handling here was + + if (r < 0 && r == -EFAULT) + +but Alex says it was almost certainly intended to be + + if (r < 0 && r != -EFAULT) + +so that syscalls not known to libseccomp are not a fatal error. + +Instead of literally making that change, emit a debug message on -EFAULT +so we can see what is going on. + +This temporarily weakens our defence against CVE-2021-41133 +(GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed +version of libseccomp does not know about the recently-added syscalls, +but the kernel does, then we will not prevent non-native executables +from using those syscalls. + +Resolves: https://github.com/flatpak/flatpak/issues/4458 +Signed-off-by: Simon McVittie +(cherry picked from commit d419fa67038370e4f4c3ce8c3b5f672d4876cfc8) +(cherry picked from commit 270701f900c8612cf1fc5e6f5a6e2eb6459708c1) +--- + common/flatpak-run.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/common/flatpak-run.c b/common/flatpak-run.c +index 9b3648065b82..04a034f27392 100644 +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -2800,7 +2800,16 @@ setup_seccomp (FlatpakBwrap *bwrap, + r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 1, *syscall_blocklist[i].arg); + else + r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0); +- if (r < 0 && r == -EFAULT /* unknown syscall */) ++ ++ /* EFAULT means "internal libseccomp error", but in practice we get ++ * this for syscall numbers added via flatpak-syscalls-private.h ++ * when trying to filter them on a non-native architecture, because ++ * libseccomp cannot map the syscall number to a name and back to a ++ * number for the non-native architecture. */ ++ if (r == -EFAULT) ++ flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?", ++ scall); ++ else if (r < 0) + return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall); + } + +@@ -2818,7 +2827,11 @@ setup_seccomp (FlatpakBwrap *bwrap, + else + r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0); + +- if (r < 0 && r == -EFAULT /* unknown syscall */) ++ /* See above for the meaning of EFAULT. */ ++ if (errno == EFAULT) ++ flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?", ++ scall); ++ else if (r < 0) + return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall); + } + } +-- +2.31.1 + + +From de504cb72d2978ab67c9aa4bbbd63895128199c2 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Fri, 8 Oct 2021 19:00:13 +0100 +Subject: [PATCH 10/11] Fix handling of syscalls only allowed by --devel + +This was incorrectly looking at errno instead of -r. + +Fixes: 0b38b0f0 "run: Handle unknown syscalls as intended" +Signed-off-by: Simon McVittie +(cherry picked from commit 3fc8c672676ae016f8e7cc90481b2feecbad9861) +(cherry picked from commit 97e128c2c1520202486b5e165e1734cbb421568a) +--- + common/flatpak-run.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/common/flatpak-run.c b/common/flatpak-run.c +index 04a034f27392..87988b9f7e51 100644 +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -2828,7 +2828,7 @@ setup_seccomp (FlatpakBwrap *bwrap, + r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0); + + /* See above for the meaning of EFAULT. */ +- if (errno == EFAULT) ++ if (r == -EFAULT) + flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?", + scall); + else if (r < 0) +-- +2.31.1 + + +From 81492b64bbacc3c523e150ad5164f18973852b28 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Fri, 8 Oct 2021 19:06:13 +0100 +Subject: [PATCH 11/11] run: Improve error handling/diagnostics for calls into + libseccomp + +Signed-off-by: Simon McVittie +(cherry picked from commit 53bde36585b88a2b96bf896ed79b40ccb6a72c54) +(cherry picked from commit bd2c58fc27fa5e31029339dbce8eea10717015f3) +--- + common/flatpak-run.c | 46 ++++++++++++++++++++++++++++++++++++++------ + 1 file changed, 40 insertions(+), 6 deletions(-) + +diff --git a/common/flatpak-run.c b/common/flatpak-run.c +index 87988b9f7e51..c72b0cd96598 100644 +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -2572,6 +2572,38 @@ static const uint32_t seccomp_x86_64_extra_arches[] = { SCMP_ARCH_X86, 0, }; + static const uint32_t seccomp_aarch64_extra_arches[] = { SCMP_ARCH_ARM, 0 }; + #endif + ++/* ++ * @negative_errno: Result code as returned by libseccomp functions ++ * ++ * Translate a libseccomp error code into an error message. libseccomp ++ * mostly returns negative `errno` values such as `-ENOMEM`, but some ++ * standard `errno` values are used for non-standard purposes where their ++ * `strerror()` would be misleading. ++ * ++ * Returns: a string version of @negative_errno if possible ++ */ ++static const char * ++flatpak_seccomp_strerror (int negative_errno) ++{ ++ g_return_val_if_fail (negative_errno < 0, "Non-negative error value from libseccomp?"); ++ g_return_val_if_fail (negative_errno > INT_MIN, "Out of range error value from libseccomp?"); ++ ++ switch (negative_errno) ++ { ++ case -EDOM: ++ return "Architecture specific failure"; ++ ++ case -EFAULT: ++ return "Internal libseccomp failure (unknown syscall?)"; ++ ++ case -ECANCELED: ++ return "System failure beyond the control of libseccomp"; ++ } ++ ++ /* e.g. -ENOMEM: the result of strerror() is good enough */ ++ return g_strerror (-negative_errno); ++} ++ + static inline void + cleanup_seccomp (void *p) + { +@@ -2769,7 +2801,7 @@ setup_seccomp (FlatpakBwrap *bwrap, + couldn't continue running. */ + r = seccomp_arch_add (seccomp, arch_id); + if (r < 0 && r != -EEXIST) +- return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to add architecture to seccomp filter")); ++ return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to add architecture to seccomp filter: %s"), flatpak_seccomp_strerror (r)); + + if (multiarch && extra_arches != NULL) + { +@@ -2778,7 +2810,7 @@ setup_seccomp (FlatpakBwrap *bwrap, + { + r = seccomp_arch_add (seccomp, extra_arches[i]); + if (r < 0 && r != -EEXIST) +- return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to add multiarch architecture to seccomp filter")); ++ return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to add multiarch architecture to seccomp filter: %s"), flatpak_seccomp_strerror (r)); + } + } + } +@@ -2810,7 +2842,7 @@ setup_seccomp (FlatpakBwrap *bwrap, + flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?", + scall); + else if (r < 0) +- return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall); ++ return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d: %s"), scall, flatpak_seccomp_strerror (r)); + } + + if (!devel) +@@ -2832,7 +2864,7 @@ setup_seccomp (FlatpakBwrap *bwrap, + flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?", + scall); + else if (r < 0) +- return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall); ++ return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d: %s"), scall, flatpak_seccomp_strerror (r)); + } + } + +@@ -2862,8 +2894,10 @@ setup_seccomp (FlatpakBwrap *bwrap, + if (!glnx_open_anonymous_tmpfile_full (O_RDWR | O_CLOEXEC, "/tmp", &seccomp_tmpf, error)) + return FALSE; + +- if (seccomp_export_bpf (seccomp, seccomp_tmpf.fd) != 0) +- return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to export bpf")); ++ r = seccomp_export_bpf (seccomp, seccomp_tmpf.fd); ++ ++ if (r != 0) ++ return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to export bpf: %s"), flatpak_seccomp_strerror (r)); + + lseek (seccomp_tmpf.fd, 0, SEEK_SET); + +-- +2.31.1 + diff --git a/SPECS/flatpak.spec b/SPECS/flatpak.spec index 265250c..c08d102 100644 --- a/SPECS/flatpak.spec +++ b/SPECS/flatpak.spec @@ -3,7 +3,7 @@ Name: flatpak Version: 1.8.5 -Release: 4%{?dist} +Release: 5%{?dist} Summary: Application deployment framework for desktop apps License: LGPLv2+ @@ -13,7 +13,11 @@ Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/ Patch0: flatpak-1.8.5-post-cve-fixes.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1938064 Patch1: flatpak-1.8.5-fix-CVE-2021-21381.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2012868 +Patch2: flatpak-1.8.5-fix-CVE-2021-41133.patch +BuildRequires: autoconf +BuildRequires: automake BuildRequires: pkgconfig(appstream-glib) BuildRequires: pkgconfig(dconf) BuildRequires: pkgconfig(fuse) @@ -35,8 +39,11 @@ BuildRequires: bubblewrap >= %{bubblewrap_version} BuildRequires: docbook-dtds BuildRequires: docbook-style-xsl BuildRequires: gettext +BuildRequires: gettext-devel BuildRequires: gpgme-devel +BuildRequires: gtk-doc BuildRequires: libcap-devel +BuildRequires: libtool BuildRequires: python3-pyparsing BuildRequires: systemd BuildRequires: /usr/bin/python3 @@ -125,6 +132,8 @@ This package contains installed tests for %{name}. %build +autoreconf --force --install --verbose + (if ! test -x configure; then NOCONFIGURE=1 ./autogen.sh; CONFIGFLAGS=--enable-gtk-doc; fi; # Generate consistent IDs between runs to avoid multilib problems. export XMLTO_FLAGS="--stringparam generate.consistent.ids=1" @@ -244,6 +253,9 @@ fi %changelog +* Tue Oct 26 2021 Debarshi Ray - 1.8.5-5 +- Fix CVE-2021-41133 (#2012868) + * Wed Jul 28 2021 Tomas Popela - 1.8.5-4 - Ship flatpak-devel in CRB (#1938064)