diff options
author | Simon McVittie <smcv@collabora.com> | 2021-01-12 10:11:51 +0000 |
---|---|---|
committer | Alexander Larsson <alexander.larsson@gmail.com> | 2021-01-14 09:33:24 +0100 |
commit | aeb6a7ab0abaac4a8f4ad98b3df476d9de6b8bd4 (patch) | |
tree | 0731703214d39b781ddf17d68186c10133b19c10 /portal | |
parent | 6e5ae7a109cdfa9735ea7ccbd8cb79f9e8d3ae8b (diff) | |
download | flatpak-aeb6a7ab0abaac4a8f4ad98b3df476d9de6b8bd4.tar.gz |
portal: Convert --env in extra-args into --env-fd
This hides overridden variables from the command-line, which means
processes running under other uids can't see them in /proc/*/cmdline,
which might be important if they contain secrets.
Signed-off-by: Simon McVittie <smcv@collabora.com>
Part-of: https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2
Diffstat (limited to 'portal')
-rw-r--r-- | portal/flatpak-portal.c | 50 |
1 files changed, 49 insertions, 1 deletions
diff --git a/portal/flatpak-portal.c b/portal/flatpak-portal.c index 7ae581ec..88eb02b3 100644 --- a/portal/flatpak-portal.c +++ b/portal/flatpak-portal.c @@ -257,6 +257,7 @@ typedef struct int instance_id_fd; gboolean set_tty; int tty; + int env_fd; } ChildSetupData; typedef struct @@ -485,6 +486,9 @@ child_setup_func (gpointer user_data) if (data->instance_id_fd != -1) drop_cloexec (data->instance_id_fd); + if (data->env_fd != -1) + drop_cloexec (data->env_fd); + /* Unblock all signals */ sigemptyset (&set); if (pthread_sigmask (SIG_SETMASK, &set, NULL) == -1) @@ -782,8 +786,10 @@ handle_spawn (PortalFlatpak *object, gboolean share_pids; gboolean notify_start; gboolean devel; + g_autoptr(GString) env_string = g_string_new (""); child_setup_data.instance_id_fd = -1; + child_setup_data.env_fd = -1; if (fd_list != NULL) fds = g_unix_fd_list_peek_fds (fd_list, &fds_len); @@ -1044,7 +1050,49 @@ handle_spawn (PortalFlatpak *object, else { for (i = 0; extra_args != NULL && extra_args[i] != NULL; i++) - g_ptr_array_add (flatpak_argv, g_strdup (extra_args[i])); + { + if (g_str_has_prefix (extra_args[i], "--env=")) + { + const char *var_val = extra_args[i] + strlen ("--env="); + + if (var_val[0] == '\0' || var_val[0] == '=') + { + g_warning ("Environment variable in extra-args has empty name"); + continue; + } + + if (strchr (var_val, '=') == NULL) + { + g_warning ("Environment variable in extra-args has no value"); + continue; + } + + g_string_append (env_string, var_val); + g_string_append_c (env_string, '\0'); + } + else + { + g_ptr_array_add (flatpak_argv, g_strdup (extra_args[i])); + } + } + } + + if (env_string->len > 0) + { + g_auto(GLnxTmpfile) env_tmpf = { 0, }; + + if (!flatpak_buffer_to_sealed_memfd_or_tmpfile (&env_tmpf, "environ", + env_string->str, + env_string->len, &error)) + { + g_dbus_method_invocation_return_gerror (invocation, error); + return G_DBUS_METHOD_INVOCATION_HANDLED; + } + + child_setup_data.env_fd = glnx_steal_fd (&env_tmpf.fd); + g_ptr_array_add (flatpak_argv, + g_strdup_printf ("--env-fd=%d", + child_setup_data.env_fd)); } expose_pids = (arg_flags & FLATPAK_SPAWN_FLAGS_EXPOSE_PIDS) != 0; |