diff options
| author | Alexander Larsson <alexl@redhat.com> | 2019-02-10 18:23:44 +0100 |
|---|---|---|
| committer | Alexander Larsson <alexl@redhat.com> | 2019-02-11 13:39:23 +0100 |
| commit | 9cb5f1e465cf5a3e643caf7159e89530ae867be2 (patch) | |
| tree | 56a8502aabd27e9ea07e9533f3d127a72874b342 | |
| parent | a1e50b90ea0954b23dca7805efe7629675936f87 (diff) | |
| download | flatpak-9cb5f1e465cf5a3e643caf7159e89530ae867be2.tar.gz | |
Don't expose /proc when running apply_extra
As shown by CVE-2019-5736, it is sometimes possible for the sandbox
app to access outside files using /proc/self/exe. This is not
typically an issue for flatpak as the sandbox runs as the user which
has no permissions to e.g. modify the host files.
However, when installing apps using extra-data into the system repo
we *do* actually run a sandbox as root. So, in this case we disable mounting
/proc in the sandbox, which will neuter attacks like this.
(cherry picked from commit 468858c1cbcdbcb27266deb5c7347b37adf3a9e4)
| -rw-r--r-- | common/flatpak-common-types-private.h | 1 | ||||
| -rw-r--r-- | common/flatpak-dir.c | 2 | ||||
| -rw-r--r-- | common/flatpak-run.c | 6 |
3 files changed, 7 insertions, 2 deletions
diff --git a/common/flatpak-common-types-private.h b/common/flatpak-common-types-private.h index e361777e..b8f76b9c 100644 --- a/common/flatpak-common-types-private.h +++ b/common/flatpak-common-types-private.h @@ -45,6 +45,7 @@ typedef enum { FLATPAK_RUN_FLAG_NO_DOCUMENTS_PORTAL = (1 << 15), FLATPAK_RUN_FLAG_BLUETOOTH = (1 << 16), FLATPAK_RUN_FLAG_CANBUS = (1 << 17), + FLATPAK_RUN_FLAG_NO_PROC = (1 << 19), } FlatpakRunFlags; typedef struct FlatpakDir FlatpakDir; diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c index 0809a42b..7d44cfb4 100644 --- a/common/flatpak-dir.c +++ b/common/flatpak-dir.c @@ -6507,7 +6507,7 @@ apply_extra_data (FlatpakDir *self, NULL); if (!flatpak_run_setup_base_argv (bwrap, runtime_files, NULL, runtime_ref_parts[2], - FLATPAK_RUN_FLAG_NO_SESSION_HELPER, + FLATPAK_RUN_FLAG_NO_SESSION_HELPER | FLATPAK_RUN_FLAG_NO_PROC, error)) return FALSE; diff --git a/common/flatpak-run.c b/common/flatpak-run.c index e8e55262..ab167c00 100644 --- a/common/flatpak-run.c +++ b/common/flatpak-run.c @@ -2373,9 +2373,13 @@ flatpak_run_setup_base_argv (FlatpakBwrap *bwrap, "# Disable user pkcs11 config, because the host modules don't work in the runtime\n" "user-config: none\n"; + if ((flags & FLATPAK_RUN_FLAG_NO_PROC) == 0) + flatpak_bwrap_add_args (bwrap, + "--proc", "/proc", + NULL); + flatpak_bwrap_add_args (bwrap, "--unshare-pid", - "--proc", "/proc", "--dir", "/tmp", "--dir", "/var/tmp", "--dir", "/run/host", |