diff options
| author | Alexander Larsson <alexl@redhat.com> | 2022-09-06 11:40:22 +0200 |
|---|---|---|
| committer | Simon McVittie <smcv@collabora.com> | 2023-03-24 13:29:32 +0000 |
| commit | 23ec4eda2f52e1570e2296061f9fd4763d7e3721 (patch) | |
| tree | 8a888481d7b0b70189052f9f2b14d22e94071f2e | |
| parent | 4650179d7c4dc233fcd81ea21459a1e707ae202d (diff) | |
| download | flatpak-23ec4eda2f52e1570e2296061f9fd4763d7e3721.tar.gz | |
Use new --disable-userns bubblewrap feature when possible
This feature (added in https://github.com/containers/bubblewrap/pull/488)
allows us to improve the guarantees of disallowing the sandbox to use
recursive user namespaces (which is a security risk) compared to the
existing limits that use seccomp.
[smcv: Move this to flatpak_run_setup_base_argv() so it will apply
equally in apply_extra_data() and `flatpak build`; make the compile-time
check for a setuid bwrap into a runtime check]
Co-authored-by: Simon McVittie <smcv@collabora.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
| -rw-r--r-- | common/flatpak-run.c | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/common/flatpak-run.c b/common/flatpak-run.c index f871fb04..fa549c19 100644 --- a/common/flatpak-run.c +++ b/common/flatpak-run.c @@ -3498,6 +3498,38 @@ flatpak_run_setup_base_argv (FlatpakBwrap *bwrap, gulong pers; gid_t gid = getgid (); g_autoptr(GFile) etc = NULL; + gboolean parent_expose_pids = (flags & FLATPAK_RUN_FLAG_PARENT_EXPOSE_PIDS) != 0; + gboolean parent_share_pids = (flags & FLATPAK_RUN_FLAG_PARENT_SHARE_PIDS) != 0; + gboolean bwrap_unprivileged = flatpak_bwrap_is_unprivileged (); + + /* Disable recursive userns for all flatpak processes, as we need this + * to guarantee that the sandbox can't restructure the filesystem. + * Allowing to change e.g. /.flatpak-info would allow sandbox escape + * via portals. + * + * This is also done via seccomp, but here we do it using userns + * unsharing in combination with max_user_namespaces. + * + * If bwrap is setuid, then --disable-userns will not work, which + * makes the seccomp filter security-critical. + */ + if (bwrap_unprivileged) + { + if (parent_expose_pids || parent_share_pids) + { + /* If we're joining an existing sandbox's user and process + * namespaces, then it should already have creation of + * nested user namespaces disabled. */ + flatpak_bwrap_add_arg (bwrap, "--assert-userns-disabled"); + } + else + { + /* This is a new sandbox, so we need to disable creation of + * nested user namespaces. */ + flatpak_bwrap_add_arg (bwrap, "--unshare-user"); + flatpak_bwrap_add_arg (bwrap, "--disable-userns"); + } + } run_dir = g_strdup_printf ("/run/user/%d", getuid ()); |