forked from rpms/flatpak
import flatpak-1.8.5-3.el8
This commit is contained in:
parent
46db632dfe
commit
24ffc0f355
@ -1 +1 @@
|
||||
6763d41ca91cb2547456c16ca5f7d53c95d89a14 SOURCES/flatpak-1.6.2.tar.xz
|
||||
a3dcd13e85090e9d8156f1db2a375074e459aa79 SOURCES/flatpak-1.8.5.tar.xz
|
||||
|
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/flatpak-1.6.2.tar.xz
|
||||
SOURCES/flatpak-1.8.5.tar.xz
|
||||
|
@ -1,26 +0,0 @@
|
||||
From 7ad549b89dfbfb67fd1cbbf6cafdd996e4722246 Mon Sep 17 00:00:00 2001
|
||||
From: "Owen W. Taylor" <otaylor@fishsoup.net>
|
||||
Date: Wed, 9 Sep 2020 16:14:57 -0400
|
||||
Subject: [PATCH] OCI: extract appstream data for runtimes
|
||||
|
||||
Runtimes also have appstream data - with description, license information,
|
||||
and so forth, so we should extract the appstream data from the index
|
||||
for refs that start with runtime/ as well.
|
||||
---
|
||||
common/flatpak-oci-registry.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/common/flatpak-oci-registry.c b/common/flatpak-oci-registry.c
|
||||
index cf501a5eb..0f7471129 100644
|
||||
--- a/common/flatpak-oci-registry.c
|
||||
+++ b/common/flatpak-oci-registry.c
|
||||
@@ -3120,7 +3120,8 @@ add_image_to_appstream (SoupSession *soup_session,
|
||||
return;
|
||||
|
||||
ref_parts = g_strsplit (ref, "/", -1);
|
||||
- if (g_strv_length (ref_parts) != 4 || strcmp (ref_parts[0], "app") != 0)
|
||||
+ if (g_strv_length (ref_parts) != 4 ||
|
||||
+ (strcmp (ref_parts[0], "app") != 0 && strcmp (ref_parts[0], "runtime") != 0))
|
||||
return;
|
||||
|
||||
id = ref_parts[1];
|
@ -1,983 +0,0 @@
|
||||
From 038655c9ee29ee659e5fede4d36871cf8ccef803 Mon Sep 17 00:00:00 2001
|
||||
From: Simon McVittie <smcv@collabora.com>
|
||||
Date: Mon, 7 Dec 2020 18:08:16 +0000
|
||||
Subject: [PATCH 01/10] common: Add a backport of
|
||||
G_DBUS_METHOD_INVOCATION_HANDLED
|
||||
|
||||
This is syntactic sugar added in GLib 2.67.0, which makes it more clearly
|
||||
correct when we return TRUE after a GDBus error.
|
||||
|
||||
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||
---
|
||||
common/flatpak-utils-base-private.h | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/common/flatpak-utils-base-private.h b/common/flatpak-utils-base-private.h
|
||||
index 181a0c95..9d10a530 100644
|
||||
--- a/common/flatpak-utils-base-private.h
|
||||
+++ b/common/flatpak-utils-base-private.h
|
||||
@@ -22,6 +22,12 @@
|
||||
#define __FLATPAK_UTILS_BASE_H__
|
||||
|
||||
#include <glib.h>
|
||||
+#include <gio/gio.h>
|
||||
+
|
||||
+#ifndef G_DBUS_METHOD_INVOCATION_HANDLED
|
||||
+# define G_DBUS_METHOD_INVOCATION_HANDLED TRUE
|
||||
+# define G_DBUS_METHOD_INVOCATION_UNHANDLED FALSE
|
||||
+#endif
|
||||
|
||||
char *flatpak_get_timezone (void);
|
||||
|
||||
--
|
||||
2.29.2
|
||||
|
||||
|
||||
From 6ed3e235459f5fe8b58aecbab744166a5ee66f9d Mon Sep 17 00:00:00 2001
|
||||
From: Simon McVittie <smcv@collabora.com>
|
||||
Date: Sun, 10 Jan 2021 16:11:28 +0000
|
||||
Subject: [PATCH 02/10] run: Convert all environment variables into bwrap
|
||||
arguments
|
||||
|
||||
This avoids some of them being filtered out by a setuid bwrap. It also
|
||||
means that if they came from an untrusted source, they cannot be used
|
||||
to inject arbitrary code into a non-setuid bwrap via mechanisms like
|
||||
LD_PRELOAD.
|
||||
|
||||
Because they get bundled into a memfd or temporary file, they do not
|
||||
actually appear in argv, ensuring that they remain inaccessible to
|
||||
processes running under a different uid (which is important if their
|
||||
values are tokens or other secrets).
|
||||
|
||||
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||
Part-of: https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2
|
||||
---
|
||||
common/flatpak-bwrap-private.h | 3 +++
|
||||
common/flatpak-bwrap.c | 43 ++++++++++++++++++++++++++++++++++
|
||||
common/flatpak-run.c | 32 +++++++++++--------------
|
||||
3 files changed, 60 insertions(+), 18 deletions(-)
|
||||
|
||||
diff --git a/common/flatpak-bwrap-private.h b/common/flatpak-bwrap-private.h
|
||||
index 92d6e9de..6c31b789 100644
|
||||
--- a/common/flatpak-bwrap-private.h
|
||||
+++ b/common/flatpak-bwrap-private.h
|
||||
@@ -43,6 +43,8 @@ void flatpak_bwrap_unset_env (FlatpakBwrap *bwrap,
|
||||
const char *variable);
|
||||
void flatpak_bwrap_add_arg (FlatpakBwrap *bwrap,
|
||||
const char *arg);
|
||||
+void flatpak_bwrap_take_arg (FlatpakBwrap *bwrap,
|
||||
+ char *arg);
|
||||
void flatpak_bwrap_add_noinherit_fd (FlatpakBwrap *bwrap,
|
||||
int fd);
|
||||
void flatpak_bwrap_add_fd (FlatpakBwrap *bwrap,
|
||||
@@ -73,6 +75,7 @@ void flatpak_bwrap_add_bind_arg (FlatpakBwrap *bwrap,
|
||||
const char *type,
|
||||
const char *src,
|
||||
const char *dest);
|
||||
+void flatpak_bwrap_envp_to_args (FlatpakBwrap *bwrap);
|
||||
gboolean flatpak_bwrap_bundle_args (FlatpakBwrap *bwrap,
|
||||
int start,
|
||||
int end,
|
||||
diff --git a/common/flatpak-bwrap.c b/common/flatpak-bwrap.c
|
||||
index 7e5d38d1..d383d25f 100644
|
||||
--- a/common/flatpak-bwrap.c
|
||||
+++ b/common/flatpak-bwrap.c
|
||||
@@ -109,6 +109,18 @@ flatpak_bwrap_add_arg (FlatpakBwrap *bwrap, const char *arg)
|
||||
g_ptr_array_add (bwrap->argv, g_strdup (arg));
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * flatpak_bwrap_take_arg:
|
||||
+ * @arg: (transfer full): Take ownership of this argument
|
||||
+ *
|
||||
+ * Add @arg to @bwrap's argv, taking ownership of the pointer.
|
||||
+ */
|
||||
+void
|
||||
+flatpak_bwrap_take_arg (FlatpakBwrap *bwrap, char *arg)
|
||||
+{
|
||||
+ g_ptr_array_add (bwrap->argv, arg);
|
||||
+}
|
||||
+
|
||||
void
|
||||
flatpak_bwrap_finish (FlatpakBwrap *bwrap)
|
||||
{
|
||||
@@ -274,6 +286,37 @@ flatpak_bwrap_add_bind_arg (FlatpakBwrap *bwrap,
|
||||
}
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Convert bwrap->envp into a series of --setenv arguments for bwrap(1),
|
||||
+ * assumed to be applied to an empty environment. Reset envp to be an
|
||||
+ * empty environment.
|
||||
+ */
|
||||
+void
|
||||
+flatpak_bwrap_envp_to_args (FlatpakBwrap *bwrap)
|
||||
+{
|
||||
+ gsize i;
|
||||
+
|
||||
+ for (i = 0; bwrap->envp[i] != NULL; i++)
|
||||
+ {
|
||||
+ char *key_val = bwrap->envp[i];
|
||||
+ char *eq = strchr (key_val, '=');
|
||||
+
|
||||
+ if (eq)
|
||||
+ {
|
||||
+ flatpak_bwrap_add_arg (bwrap, "--setenv");
|
||||
+ flatpak_bwrap_take_arg (bwrap, g_strndup (key_val, eq - key_val));
|
||||
+ flatpak_bwrap_add_arg (bwrap, eq + 1);
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ g_warn_if_reached ();
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ g_strfreev (g_steal_pointer (&bwrap->envp));
|
||||
+ bwrap->envp = g_strdupv (flatpak_bwrap_empty_env);
|
||||
+}
|
||||
+
|
||||
gboolean
|
||||
flatpak_bwrap_bundle_args (FlatpakBwrap *bwrap,
|
||||
int start,
|
||||
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
|
||||
index 51c002ff..9383610b 100644
|
||||
--- a/common/flatpak-run.c
|
||||
+++ b/common/flatpak-run.c
|
||||
@@ -1314,24 +1314,6 @@ flatpak_run_add_environment_args (FlatpakBwrap *bwrap,
|
||||
flatpak_run_add_system_dbus_args (bwrap, proxy_arg_bwrap, context, flags);
|
||||
flatpak_run_add_a11y_dbus_args (bwrap, proxy_arg_bwrap, context, flags);
|
||||
|
||||
- if (g_environ_getenv (bwrap->envp, "LD_LIBRARY_PATH") != NULL)
|
||||
- {
|
||||
- /* LD_LIBRARY_PATH is overridden for setuid helper, so pass it as cmdline arg */
|
||||
- flatpak_bwrap_add_args (bwrap,
|
||||
- "--setenv", "LD_LIBRARY_PATH", g_environ_getenv (bwrap->envp, "LD_LIBRARY_PATH"),
|
||||
- NULL);
|
||||
- flatpak_bwrap_unset_env (bwrap, "LD_LIBRARY_PATH");
|
||||
- }
|
||||
-
|
||||
- if (g_environ_getenv (bwrap->envp, "TMPDIR") != NULL)
|
||||
- {
|
||||
- /* TMPDIR is overridden for setuid helper, so pass it as cmdline arg */
|
||||
- flatpak_bwrap_add_args (bwrap,
|
||||
- "--setenv", "TMPDIR", g_environ_getenv (bwrap->envp, "TMPDIR"),
|
||||
- NULL);
|
||||
- flatpak_bwrap_unset_env (bwrap, "TMPDIR");
|
||||
- }
|
||||
-
|
||||
/* Must run this before spawning the dbus proxy, to ensure it
|
||||
ends up in the app cgroup */
|
||||
if (!flatpak_run_in_transient_unit (app_id, &my_error))
|
||||
@@ -3852,6 +3834,8 @@ flatpak_run_app (const char *app_ref,
|
||||
command = default_command;
|
||||
}
|
||||
|
||||
+ flatpak_bwrap_envp_to_args (bwrap);
|
||||
+
|
||||
if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
|
||||
return FALSE;
|
||||
|
||||
@@ -3882,6 +3866,12 @@ flatpak_run_app (const char *app_ref,
|
||||
/* We use LEAVE_DESCRIPTORS_OPEN to work around dead-lock, see flatpak_close_fds_workaround */
|
||||
spawn_flags |= G_SPAWN_LEAVE_DESCRIPTORS_OPEN;
|
||||
|
||||
+ /* flatpak_bwrap_envp_to_args() moved the environment variables to
|
||||
+ * be set into --setenv instructions in argv, so the environment
|
||||
+ * in which the bwrap command runs must be empty. */
|
||||
+ g_assert (bwrap->envp != NULL);
|
||||
+ g_assert (bwrap->envp[0] == NULL);
|
||||
+
|
||||
if (!g_spawn_async (NULL,
|
||||
(char **) bwrap->argv->pdata,
|
||||
bwrap->envp,
|
||||
@@ -3909,6 +3899,12 @@ flatpak_run_app (const char *app_ref,
|
||||
* we do want to allow inheriting fds into flatpak run. */
|
||||
flatpak_bwrap_child_setup (bwrap->fds, FALSE);
|
||||
|
||||
+ /* flatpak_bwrap_envp_to_args() moved the environment variables to
|
||||
+ * be set into --setenv instructions in argv, so the environment
|
||||
+ * in which the bwrap command runs must be empty. */
|
||||
+ g_assert (bwrap->envp != NULL);
|
||||
+ g_assert (bwrap->envp[0] == NULL);
|
||||
+
|
||||
if (execvpe (flatpak_get_bwrap (), (char **) bwrap->argv->pdata, bwrap->envp) == -1)
|
||||
{
|
||||
g_set_error_literal (error, G_IO_ERROR, g_io_error_from_errno (errno),
|
||||
--
|
||||
2.29.2
|
||||
|
||||
|
||||
From a1dec4885218f40b03044c82245d5b362c0affeb Mon Sep 17 00:00:00 2001
|
||||
From: Simon McVittie <smcv@collabora.com>
|
||||
Date: Mon, 11 Jan 2021 12:14:48 +0000
|
||||
Subject: [PATCH 03/10] tests: Expand coverage for environment variable
|
||||
overrides
|
||||
|
||||
This checks that `flatpak run --env=` takes precedence over
|
||||
`flatpak override --env=`, and that environment variables don't get
|
||||
onto the bwrap command-line (which would be information disclosure
|
||||
if their values are secret).
|
||||
|
||||
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||
Part-of: https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2
|
||||
---
|
||||
tests/test-override.sh | 68 +++++++++++++++++++++++++++++++++++++++++-
|
||||
1 file changed, 67 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/tests/test-override.sh b/tests/test-override.sh
|
||||
index 93009ee3..1213bbd4 100755
|
||||
--- a/tests/test-override.sh
|
||||
+++ b/tests/test-override.sh
|
||||
@@ -12,7 +12,7 @@ reset_overrides () {
|
||||
assert_file_empty info
|
||||
}
|
||||
|
||||
-echo "1..13"
|
||||
+echo "1..15"
|
||||
|
||||
setup_repo
|
||||
install_repo
|
||||
@@ -65,14 +65,80 @@ reset_overrides
|
||||
|
||||
${FLATPAK} override --user --env=FOO=BAR org.test.Hello
|
||||
${FLATPAK} override --user --env=BAR= org.test.Hello
|
||||
+# TODO: A future commit will add a way to avoid this ever being present in argv
|
||||
+${FLATPAK} override --user --env=SECRET_TOKEN=3047225e-5e38-4357-b21c-eac83b7e8ea6 org.test.Hello
|
||||
+# TMPDIR and TZDIR are filtered out by ld.so for setuid processes,
|
||||
+# so setting these gives us a way to verify that we can pass them through
|
||||
+# a setuid bwrap (without special-casing them, as we previously did for
|
||||
+# TMPDIR).
|
||||
+${FLATPAK} override --user --env=TMPDIR=/nonexistent/tmp org.test.Hello
|
||||
+${FLATPAK} override --user --env=TZDIR=/nonexistent/tz org.test.Hello
|
||||
${FLATPAK} override --user --show org.test.Hello > override
|
||||
|
||||
assert_file_has_content override "^\[Environment\]$"
|
||||
assert_file_has_content override "^FOO=BAR$"
|
||||
assert_file_has_content override "^BAR=$"
|
||||
+assert_file_has_content override "^SECRET_TOKEN=3047225e-5e38-4357-b21c-eac83b7e8ea6$"
|
||||
+assert_file_has_content override "^TMPDIR=/nonexistent/tmp$"
|
||||
+assert_file_has_content override "^TZDIR=/nonexistent/tz$"
|
||||
|
||||
echo "ok override --env"
|
||||
|
||||
+if skip_one_without_bwrap "sandbox environment variables"; then
|
||||
+ :
|
||||
+else
|
||||
+ ${FLATPAK} run --command=bash org.test.Hello \
|
||||
+ -c 'echo "FOO=$FOO"; echo "BAR=$BAR"; echo "SECRET_TOKEN=$SECRET_TOKEN"; echo "TMPDIR=$TMPDIR"; echo "TZDIR=$TZDIR"' > out
|
||||
+ assert_file_has_content out '^FOO=BAR$'
|
||||
+ assert_file_has_content out '^BAR=$'
|
||||
+ assert_file_has_content out '^SECRET_TOKEN=3047225e-5e38-4357-b21c-eac83b7e8ea6$'
|
||||
+ # The variables that would be filtered out by a setuid bwrap get set
|
||||
+ assert_file_has_content out '^TZDIR=/nonexistent/tz$'
|
||||
+ assert_file_has_content out '^TMPDIR=/nonexistent/tmp$'
|
||||
+ ${FLATPAK} run --command=cat org.test.Hello -- /proc/1/cmdline > out
|
||||
+ # The secret doesn't end up in bubblewrap's cmdline where other users
|
||||
+ # could see it
|
||||
+ assert_not_file_has_content out 3047225e-5e38-4357-b21c-eac83b7e8ea6
|
||||
+
|
||||
+ ok "sandbox environment variables"
|
||||
+fi
|
||||
+
|
||||
+reset_overrides
|
||||
+
|
||||
+if skip_one_without_bwrap "temporary environment variables"; then
|
||||
+ :
|
||||
+else
|
||||
+ ${FLATPAK} override --user --env=FOO=wrong org.test.Hello
|
||||
+ ${FLATPAK} override --user --env=BAR=wrong org.test.Hello
|
||||
+ ${FLATPAK} override --user --env=SECRET_TOKEN=wrong org.test.Hello
|
||||
+ ${FLATPAK} override --user --env=TMPDIR=/nonexistent/wrong org.test.Hello
|
||||
+ ${FLATPAK} override --user --env=TZDIR=/nonexistent/wrong org.test.Hello
|
||||
+ ${FLATPAK} override --user --show org.test.Hello > override
|
||||
+
|
||||
+ ${FLATPAK} run --command=bash \
|
||||
+ --env=FOO=BAR \
|
||||
+ --env=BAR= \
|
||||
+ --env=SECRET_TOKEN=3047225e-5e38-4357-b21c-eac83b7e8ea6 \
|
||||
+ --env=TMPDIR=/nonexistent/tmp \
|
||||
+ --env=TZDIR=/nonexistent/tz \
|
||||
+ org.test.Hello \
|
||||
+ -c 'echo "FOO=$FOO"; echo "BAR=$BAR"; echo "SECRET_TOKEN=$SECRET_TOKEN"; echo "TMPDIR=$TMPDIR"; echo "TZDIR=$TZDIR"' > out
|
||||
+ # The versions from `flatpak run` overrule `flatpak override`
|
||||
+ assert_file_has_content out '^FOO=BAR$'
|
||||
+ assert_file_has_content out '^BAR=$'
|
||||
+ assert_file_has_content out '^SECRET_TOKEN=3047225e-5e38-4357-b21c-eac83b7e8ea6$'
|
||||
+ assert_file_has_content out '^TZDIR=/nonexistent/tz$'
|
||||
+ assert_file_has_content out '^TMPDIR=/nonexistent/tmp$'
|
||||
+ ${FLATPAK} run --command=cat org.test.Hello -- /proc/1/cmdline > out
|
||||
+ # The secret doesn't end up in bubblewrap's cmdline where other users
|
||||
+ # could see it
|
||||
+ assert_not_file_has_content out 3047225e-5e38-4357-b21c-eac83b7e8ea6
|
||||
+
|
||||
+ ok "temporary environment variables"
|
||||
+fi
|
||||
+
|
||||
+reset_overrides
|
||||
+
|
||||
${FLATPAK} override --user --filesystem=home org.test.Hello
|
||||
${FLATPAK} override --user --filesystem=xdg-desktop/foo:create org.test.Hello
|
||||
${FLATPAK} override --user --filesystem=xdg-config:ro org.test.Hello
|
||||
--
|
||||
2.29.2
|
||||
|
||||
|
||||
From 1b80c139f02cff6eeec39ecdf1a8f531ab6d7d9b Mon Sep 17 00:00:00 2001
|
||||
From: Simon McVittie <smcv@collabora.com>
|
||||
Date: Sun, 10 Jan 2021 16:18:58 +0000
|
||||
Subject: [PATCH 04/10] context: Add --env-fd option
|
||||
|
||||
This allows environment variables to be added to the context without
|
||||
making their values visible to processes running under a different uid,
|
||||
which might be significant if the variable's value is a token or some
|
||||
other secret value.
|
||||
|
||||
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||
Part-of: https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2
|
||||
---
|
||||
common/flatpak-context.c | 60 ++++++++++++++++++++++++++++++++++++
|
||||
doc/flatpak-build-finish.xml | 18 +++++++++++
|
||||
doc/flatpak-build.xml | 18 +++++++++++
|
||||
doc/flatpak-override.xml | 18 +++++++++++
|
||||
doc/flatpak-run.xml | 18 +++++++++++
|
||||
5 files changed, 132 insertions(+)
|
||||
|
||||
diff --git a/common/flatpak-context.c b/common/flatpak-context.c
|
||||
index 462134aa..7e1bc46c 100644
|
||||
--- a/common/flatpak-context.c
|
||||
+++ b/common/flatpak-context.c
|
||||
@@ -1039,6 +1039,65 @@ option_env_cb (const gchar *option_name,
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
+static gboolean
|
||||
+option_env_fd_cb (const gchar *option_name,
|
||||
+ const gchar *value,
|
||||
+ gpointer data,
|
||||
+ GError **error)
|
||||
+{
|
||||
+ FlatpakContext *context = data;
|
||||
+ g_autoptr(GBytes) env_block = NULL;
|
||||
+ gsize remaining;
|
||||
+ const char *p;
|
||||
+ guint64 fd;
|
||||
+ gchar *endptr;
|
||||
+
|
||||
+ fd = g_ascii_strtoull (value, &endptr, 10);
|
||||
+
|
||||
+ if (endptr == NULL || *endptr != '\0' || fd > G_MAXINT)
|
||||
+ return glnx_throw (error, "Not a valid file descriptor: %s", value);
|
||||
+
|
||||
+ env_block = glnx_fd_readall_bytes ((int) fd, NULL, error);
|
||||
+
|
||||
+ if (env_block == NULL)
|
||||
+ return FALSE;
|
||||
+
|
||||
+ p = g_bytes_get_data (env_block, &remaining);
|
||||
+
|
||||
+ /* env_block might not be \0-terminated */
|
||||
+ while (remaining > 0)
|
||||
+ {
|
||||
+ size_t len = strnlen (p, remaining);
|
||||
+ const char *equals;
|
||||
+
|
||||
+ g_assert (len <= remaining);
|
||||
+
|
||||
+ equals = memchr (p, '=', len);
|
||||
+
|
||||
+ if (equals == NULL || equals == p)
|
||||
+ return glnx_throw (error,
|
||||
+ "Environment variable must be given in the form VARIABLE=VALUE, not %.*s", (int) len, p);
|
||||
+
|
||||
+ flatpak_context_set_env_var (context,
|
||||
+ g_strndup (p, equals - p),
|
||||
+ g_strndup (equals + 1, len - (equals - p) - 1));
|
||||
+ p += len;
|
||||
+ remaining -= len;
|
||||
+
|
||||
+ if (remaining > 0)
|
||||
+ {
|
||||
+ g_assert (*p == '\0');
|
||||
+ p += 1;
|
||||
+ remaining -= 1;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (fd >= 3)
|
||||
+ close (fd);
|
||||
+
|
||||
+ return TRUE;
|
||||
+}
|
||||
+
|
||||
static gboolean
|
||||
option_own_name_cb (const gchar *option_name,
|
||||
const gchar *value,
|
||||
@@ -1236,6 +1295,7 @@ static GOptionEntry context_options[] = {
|
||||
{ "filesystem", 0, G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_CALLBACK, &option_filesystem_cb, N_("Expose filesystem to app (:ro for read-only)"), N_("FILESYSTEM[:ro]") },
|
||||
{ "nofilesystem", 0, G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_CALLBACK, &option_nofilesystem_cb, N_("Don't expose filesystem to app"), N_("FILESYSTEM") },
|
||||
{ "env", 0, G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_CALLBACK, &option_env_cb, N_("Set environment variable"), N_("VAR=VALUE") },
|
||||
+ { "env-fd", 0, G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_CALLBACK, &option_env_fd_cb, N_("Read environment variables in env -0 format from FD"), N_("FD") },
|
||||
{ "own-name", 0, G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_CALLBACK, &option_own_name_cb, N_("Allow app to own name on the session bus"), N_("DBUS_NAME") },
|
||||
{ "talk-name", 0, G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_CALLBACK, &option_talk_name_cb, N_("Allow app to talk to name on the session bus"), N_("DBUS_NAME") },
|
||||
{ "no-talk-name", 0, G_OPTION_FLAG_IN_MAIN, G_OPTION_ARG_CALLBACK, &option_no_talk_name_cb, N_("Don't allow app to talk to name on the session bus"), N_("DBUS_NAME") },
|
||||
diff --git a/doc/flatpak-build-finish.xml b/doc/flatpak-build-finish.xml
|
||||
index d92eeb4d..2e01cd3e 100644
|
||||
--- a/doc/flatpak-build-finish.xml
|
||||
+++ b/doc/flatpak-build-finish.xml
|
||||
@@ -286,6 +286,24 @@ key=v1;v2;
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
+ <varlistentry>
|
||||
+ <term><option>--env-fd=<replaceable>FD</replaceable></option></term>
|
||||
+
|
||||
+ <listitem><para>
|
||||
+ Read environment variables from the file descriptor
|
||||
+ <replaceable>FD</replaceable>, and set them as if
|
||||
+ via <option>--env</option>. This can be used to avoid
|
||||
+ environment variables and their values becoming visible
|
||||
+ to other users.
|
||||
+ </para><para>
|
||||
+ Each environment variable is in the form
|
||||
+ <replaceable>VAR</replaceable>=<replaceable>VALUE</replaceable>
|
||||
+ followed by a zero byte. This is the same format used by
|
||||
+ <literal>env -0</literal> and
|
||||
+ <filename>/proc/*/environ</filename>.
|
||||
+ </para></listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
<varlistentry>
|
||||
<term><option>--own-name=NAME</option></term>
|
||||
|
||||
diff --git a/doc/flatpak-build.xml b/doc/flatpak-build.xml
|
||||
index 55e3ec89..e3eb9bc8 100644
|
||||
--- a/doc/flatpak-build.xml
|
||||
+++ b/doc/flatpak-build.xml
|
||||
@@ -288,6 +288,24 @@ key=v1;v2;
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
+ <varlistentry>
|
||||
+ <term><option>--env-fd=<replaceable>FD</replaceable></option></term>
|
||||
+
|
||||
+ <listitem><para>
|
||||
+ Read environment variables from the file descriptor
|
||||
+ <replaceable>FD</replaceable>, and set them as if
|
||||
+ via <option>--env</option>. This can be used to avoid
|
||||
+ environment variables and their values becoming visible
|
||||
+ to other users.
|
||||
+ </para><para>
|
||||
+ Each environment variable is in the form
|
||||
+ <replaceable>VAR</replaceable>=<replaceable>VALUE</replaceable>
|
||||
+ followed by a zero byte. This is the same format used by
|
||||
+ <literal>env -0</literal> and
|
||||
+ <filename>/proc/*/environ</filename>.
|
||||
+ </para></listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
<varlistentry>
|
||||
<term><option>--own-name=NAME</option></term>
|
||||
|
||||
diff --git a/doc/flatpak-override.xml b/doc/flatpak-override.xml
|
||||
index 8f131575..137e1251 100644
|
||||
--- a/doc/flatpak-override.xml
|
||||
+++ b/doc/flatpak-override.xml
|
||||
@@ -262,6 +262,24 @@ key=v1;v2;
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
+ <varlistentry>
|
||||
+ <term><option>--env-fd=<replaceable>FD</replaceable></option></term>
|
||||
+
|
||||
+ <listitem><para>
|
||||
+ Read environment variables from the file descriptor
|
||||
+ <replaceable>FD</replaceable>, and set them as if
|
||||
+ via <option>--env</option>. This can be used to avoid
|
||||
+ environment variables and their values becoming visible
|
||||
+ to other users.
|
||||
+ </para><para>
|
||||
+ Each environment variable is in the form
|
||||
+ <replaceable>VAR</replaceable>=<replaceable>VALUE</replaceable>
|
||||
+ followed by a zero byte. This is the same format used by
|
||||
+ <literal>env -0</literal> and
|
||||
+ <filename>/proc/*/environ</filename>.
|
||||
+ </para></listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
<varlistentry>
|
||||
<term><option>--own-name=NAME</option></term>
|
||||
|
||||
diff --git a/doc/flatpak-run.xml b/doc/flatpak-run.xml
|
||||
index 5077c1a9..ed157341 100644
|
||||
--- a/doc/flatpak-run.xml
|
||||
+++ b/doc/flatpak-run.xml
|
||||
@@ -402,6 +402,24 @@ key=v1;v2;
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
+ <varlistentry>
|
||||
+ <term><option>--env-fd=<replaceable>FD</replaceable></option></term>
|
||||
+
|
||||
+ <listitem><para>
|
||||
+ Read environment variables from the file descriptor
|
||||
+ <replaceable>FD</replaceable>, and set them as if
|
||||
+ via <option>--env</option>. This can be used to avoid
|
||||
+ environment variables and their values becoming visible
|
||||
+ to other users.
|
||||
+ </para><para>
|
||||
+ Each environment variable is in the form
|
||||
+ <replaceable>VAR</replaceable>=<replaceable>VALUE</replaceable>
|
||||
+ followed by a zero byte. This is the same format used by
|
||||
+ <literal>env -0</literal> and
|
||||
+ <filename>/proc/*/environ</filename>.
|
||||
+ </para></listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
<varlistentry>
|
||||
<term><option>--own-name=NAME</option></term>
|
||||
|
||||
--
|
||||
2.29.2
|
||||
|
||||
|
||||
From 6c244791c912fe0c5ae2e140f251dc02c46cc0aa Mon Sep 17 00:00:00 2001
|
||||
From: Simon McVittie <smcv@collabora.com>
|
||||
Date: Tue, 12 Jan 2021 10:11:51 +0000
|
||||
Subject: [PATCH 05/10] portal: Convert --env in extra-args into --env-fd
|
||||
|
||||
This hides overridden variables from the command-line, which means
|
||||
processes running under other uids can't see them in /proc/*/cmdline,
|
||||
which might be important if they contain secrets.
|
||||
|
||||
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||
Part-of: https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2
|
||||
---
|
||||
portal/flatpak-portal.c | 51 ++++++++++++++++++++++++++++++++++++++++-
|
||||
1 file changed, 50 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/portal/flatpak-portal.c b/portal/flatpak-portal.c
|
||||
index 060987b7..03ea58cc 100644
|
||||
--- a/portal/flatpak-portal.c
|
||||
+++ b/portal/flatpak-portal.c
|
||||
@@ -249,6 +249,7 @@ typedef struct
|
||||
int fd_map_len;
|
||||
gboolean set_tty;
|
||||
int tty;
|
||||
+ int env_fd;
|
||||
} ChildSetupData;
|
||||
|
||||
static void
|
||||
@@ -267,6 +268,9 @@ child_setup_func (gpointer user_data)
|
||||
|
||||
flatpak_close_fds_workaround (3);
|
||||
|
||||
+ if (data->env_fd != -1)
|
||||
+ drop_cloexec (data->env_fd);
|
||||
+
|
||||
/* Unblock all signals */
|
||||
sigemptyset (&set);
|
||||
if (pthread_sigmask (SIG_SETMASK, &set, NULL) == -1)
|
||||
@@ -553,6 +557,9 @@ handle_spawn (PortalFlatpak *object,
|
||||
gboolean sandboxed;
|
||||
gboolean devel;
|
||||
gboolean expose_pids;
|
||||
+ g_autoptr(GString) env_string = g_string_new ("");
|
||||
+
|
||||
+ child_setup_data.env_fd = -1;
|
||||
|
||||
if (fd_list != NULL)
|
||||
fds = g_unix_fd_list_peek_fds (fd_list, &fds_len);
|
||||
@@ -805,7 +812,49 @@ handle_spawn (PortalFlatpak *object,
|
||||
else
|
||||
{
|
||||
for (i = 0; extra_args != NULL && extra_args[i] != NULL; i++)
|
||||
- g_ptr_array_add (flatpak_argv, g_strdup (extra_args[i]));
|
||||
+ {
|
||||
+ if (g_str_has_prefix (extra_args[i], "--env="))
|
||||
+ {
|
||||
+ const char *var_val = extra_args[i] + strlen ("--env=");
|
||||
+
|
||||
+ if (var_val[0] == '\0' || var_val[0] == '=')
|
||||
+ {
|
||||
+ g_warning ("Environment variable in extra-args has empty name");
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ if (strchr (var_val, '=') == NULL)
|
||||
+ {
|
||||
+ g_warning ("Environment variable in extra-args has no value");
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ g_string_append (env_string, var_val);
|
||||
+ g_string_append_c (env_string, '\0');
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ g_ptr_array_add (flatpak_argv, g_strdup (extra_args[i]));
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (env_string->len > 0)
|
||||
+ {
|
||||
+ g_auto(GLnxTmpfile) env_tmpf = { 0, };
|
||||
+
|
||||
+ if (!flatpak_buffer_to_sealed_memfd_or_tmpfile (&env_tmpf, "environ",
|
||||
+ env_string->str,
|
||||
+ env_string->len, &error))
|
||||
+ {
|
||||
+ g_dbus_method_invocation_return_gerror (invocation, error);
|
||||
+ return G_DBUS_METHOD_INVOCATION_HANDLED;
|
||||
+ }
|
||||
+
|
||||
+ child_setup_data.env_fd = glnx_steal_fd (&env_tmpf.fd);
|
||||
+ g_ptr_array_add (flatpak_argv,
|
||||
+ g_strdup_printf ("--env-fd=%d",
|
||||
+ child_setup_data.env_fd));
|
||||
}
|
||||
|
||||
expose_pids = (arg_flags & FLATPAK_SPAWN_FLAGS_EXPOSE_PIDS) != 0;
|
||||
--
|
||||
2.29.2
|
||||
|
||||
|
||||
From f1725cd4fc6164d33f7a92bba673e8718655c1f1 Mon Sep 17 00:00:00 2001
|
||||
From: Simon McVittie <smcv@collabora.com>
|
||||
Date: Mon, 11 Jan 2021 12:25:50 +0000
|
||||
Subject: [PATCH 06/10] tests: Exercise --env-fd
|
||||
|
||||
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||
Part-of: https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2
|
||||
---
|
||||
tests/test-override.sh | 18 ++++++++++--------
|
||||
1 file changed, 10 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/tests/test-override.sh b/tests/test-override.sh
|
||||
index 1213bbd4..1c7dafd3 100755
|
||||
--- a/tests/test-override.sh
|
||||
+++ b/tests/test-override.sh
|
||||
@@ -65,14 +65,16 @@ reset_overrides
|
||||
|
||||
${FLATPAK} override --user --env=FOO=BAR org.test.Hello
|
||||
${FLATPAK} override --user --env=BAR= org.test.Hello
|
||||
-# TODO: A future commit will add a way to avoid this ever being present in argv
|
||||
-${FLATPAK} override --user --env=SECRET_TOKEN=3047225e-5e38-4357-b21c-eac83b7e8ea6 org.test.Hello
|
||||
+# --env-fd with terminating \0 (strictly as documented).
|
||||
+printf '%s\0' "SECRET_TOKEN=3047225e-5e38-4357-b21c-eac83b7e8ea6" > env.3
|
||||
+# --env-fd without terminating \0 (which we also accept).
|
||||
# TMPDIR and TZDIR are filtered out by ld.so for setuid processes,
|
||||
# so setting these gives us a way to verify that we can pass them through
|
||||
# a setuid bwrap (without special-casing them, as we previously did for
|
||||
# TMPDIR).
|
||||
-${FLATPAK} override --user --env=TMPDIR=/nonexistent/tmp org.test.Hello
|
||||
-${FLATPAK} override --user --env=TZDIR=/nonexistent/tz org.test.Hello
|
||||
+printf '%s\0%s' "TMPDIR=/nonexistent/tmp" "TZDIR=/nonexistent/tz" > env.4
|
||||
+${FLATPAK} override --user --env-fd=3 --env-fd=4 org.test.Hello \
|
||||
+ 3<env.3 4<env.4
|
||||
${FLATPAK} override --user --show org.test.Hello > override
|
||||
|
||||
assert_file_has_content override "^\[Environment\]$"
|
||||
@@ -118,11 +120,11 @@ else
|
||||
${FLATPAK} run --command=bash \
|
||||
--env=FOO=BAR \
|
||||
--env=BAR= \
|
||||
- --env=SECRET_TOKEN=3047225e-5e38-4357-b21c-eac83b7e8ea6 \
|
||||
- --env=TMPDIR=/nonexistent/tmp \
|
||||
- --env=TZDIR=/nonexistent/tz \
|
||||
+ --env-fd=3 \
|
||||
+ --env-fd=4 \
|
||||
org.test.Hello \
|
||||
- -c 'echo "FOO=$FOO"; echo "BAR=$BAR"; echo "SECRET_TOKEN=$SECRET_TOKEN"; echo "TMPDIR=$TMPDIR"; echo "TZDIR=$TZDIR"' > out
|
||||
+ -c 'echo "FOO=$FOO"; echo "BAR=$BAR"; echo "SECRET_TOKEN=$SECRET_TOKEN"; echo "TMPDIR=$TMPDIR"; echo "TZDIR=$TZDIR"' \
|
||||
+ 3<env.3 4<env.4 > out
|
||||
# The versions from `flatpak run` overrule `flatpak override`
|
||||
assert_file_has_content out '^FOO=BAR$'
|
||||
assert_file_has_content out '^BAR=$'
|
||||
--
|
||||
2.29.2
|
||||
|
||||
|
||||
From adcb3b2608caa1ab6647f59e31a9084ec0b66bbb Mon Sep 17 00:00:00 2001
|
||||
From: Simon McVittie <smcv@collabora.com>
|
||||
Date: Sun, 10 Jan 2021 16:25:29 +0000
|
||||
Subject: [PATCH 07/10] portal: Do not use caller-supplied variables in
|
||||
environment
|
||||
|
||||
If the caller specifies a variable that can be used to inject arbitrary
|
||||
code into processes, we must not allow it to enter the environment
|
||||
block used to run `flatpak run`, which runs unsandboxed.
|
||||
|
||||
This change requires the previous commit "context: Add --env-fd option",
|
||||
which adds infrastructure used here.
|
||||
|
||||
To be secure, this change also requires the previous commit
|
||||
"run: Convert all environment variables into bwrap arguments", which
|
||||
protects a non-setuid bwrap(1) from the same attack.
|
||||
|
||||
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||
Part-of: https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2
|
||||
---
|
||||
portal/flatpak-portal.c | 28 +++++++++++++++++++++++++++-
|
||||
1 file changed, 27 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/portal/flatpak-portal.c b/portal/flatpak-portal.c
|
||||
index 03ea58cc..fe8a514f 100644
|
||||
--- a/portal/flatpak-portal.c
|
||||
+++ b/portal/flatpak-portal.c
|
||||
@@ -760,6 +760,13 @@ handle_spawn (PortalFlatpak *object,
|
||||
else
|
||||
env = g_get_environ ();
|
||||
|
||||
+ /* Let the environment variables given by the caller override the ones
|
||||
+ * from extra_args. Don't add them to @env, because they are controlled
|
||||
+ * by our caller, which might be trying to use them to inject code into
|
||||
+ * flatpak(1); add them to the environment block instead.
|
||||
+ *
|
||||
+ * We don't use --env= here, so that if the values are something that
|
||||
+ * should not be exposed to other uids, they can remain confidential. */
|
||||
n_envs = g_variant_n_children (arg_envs);
|
||||
for (i = 0; i < n_envs; i++)
|
||||
{
|
||||
@@ -767,7 +774,26 @@ handle_spawn (PortalFlatpak *object,
|
||||
const char *val = NULL;
|
||||
g_variant_get_child (arg_envs, i, "{&s&s}", &var, &val);
|
||||
|
||||
- env = g_environ_setenv (env, var, val, TRUE);
|
||||
+ if (var[0] == '\0')
|
||||
+ {
|
||||
+ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR,
|
||||
+ G_DBUS_ERROR_INVALID_ARGS,
|
||||
+ "Environment variable cannot have empty name");
|
||||
+ return G_DBUS_METHOD_INVOCATION_HANDLED;
|
||||
+ }
|
||||
+
|
||||
+ if (strchr (var, '=') != NULL)
|
||||
+ {
|
||||
+ g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR,
|
||||
+ G_DBUS_ERROR_INVALID_ARGS,
|
||||
+ "Environment variable name cannot contain '='");
|
||||
+ return G_DBUS_METHOD_INVOCATION_HANDLED;
|
||||
+ }
|
||||
+
|
||||
+ g_string_append (env_string, var);
|
||||
+ g_string_append_c (env_string, '=');
|
||||
+ g_string_append (env_string, val);
|
||||
+ g_string_append_c (env_string, '\0');
|
||||
}
|
||||
|
||||
g_ptr_array_add (flatpak_argv, g_strdup ("flatpak"));
|
||||
--
|
||||
2.29.2
|
||||
|
||||
|
||||
From 1fb13b40cea72ded0ca804a990e84b12454a30a1 Mon Sep 17 00:00:00 2001
|
||||
From: Simon McVittie <smcv@collabora.com>
|
||||
Date: Mon, 11 Jan 2021 12:48:01 +0000
|
||||
Subject: [PATCH 08/10] tests: Assert that --env= does not go in `flatpak run`
|
||||
or bwrap environ
|
||||
|
||||
For the portal's use of --env-fd= to be safe, we want the environment
|
||||
variables that it sets to end up in the environment for the program
|
||||
that is run by `bwrap` as process 2, but they must not go into the
|
||||
environment that gets used to run `flatpak run` or `bwrap`. Assert
|
||||
that this is the case.
|
||||
|
||||
For completeness, we're testing both --env= and --env-fd= here,
|
||||
even though the earlier commit
|
||||
"portal: Do not use caller-supplied variables in environment"
|
||||
always uses --env-fd=.
|
||||
|
||||
Part-of: https://github.com/flatpak/flatpak/security/advisories/GHSA-4ppf-fxf6-vxg2
|
||||
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||
---
|
||||
tests/Makefile.am.inc | 10 ++++++++++
|
||||
tests/libpreload.c | 31 +++++++++++++++++++++++++++++++
|
||||
tests/test-override.sh | 18 ++++++++++++++++++
|
||||
3 files changed, 59 insertions(+)
|
||||
create mode 100644 tests/libpreload.c
|
||||
|
||||
diff --git a/tests/Makefile.am.inc b/tests/Makefile.am.inc
|
||||
index 15f52148..c95ed3bc 100644
|
||||
--- a/tests/Makefile.am.inc
|
||||
+++ b/tests/Makefile.am.inc
|
||||
@@ -156,6 +156,16 @@ dist_installed_test_data = \
|
||||
tests/org.flatpak.Authenticator.test.service.in \
|
||||
$(NULL)
|
||||
|
||||
+test_ltlibraries = tests/libpreload.la
|
||||
+
|
||||
+tests_libpreload_la_SOURCES = tests/libpreload.c
|
||||
+tests_libpreload_la_LDFLAGS = \
|
||||
+ -avoid-version \
|
||||
+ -module \
|
||||
+ -no-undefined \
|
||||
+ -rpath $(installed_testdir) \
|
||||
+ $(NULL)
|
||||
+
|
||||
installed_test_keyringdir = $(installed_testdir)/test-keyring
|
||||
installed_test_keyring2dir = $(installed_testdir)/test-keyring2
|
||||
|
||||
diff --git a/tests/libpreload.c b/tests/libpreload.c
|
||||
new file mode 100644
|
||||
index 00000000..a640a945
|
||||
--- /dev/null
|
||||
+++ b/tests/libpreload.c
|
||||
@@ -0,0 +1,31 @@
|
||||
+/*
|
||||
+ * Copyright 2021 Collabora Ltd.
|
||||
+ * SPDX-License-Identifier: LGPL-2-or-later
|
||||
+ */
|
||||
+
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <sys/types.h>
|
||||
+#include <sys/stat.h>
|
||||
+#include <unistd.h>
|
||||
+
|
||||
+__attribute__((constructor)) static void
|
||||
+ctor (void)
|
||||
+{
|
||||
+ pid_t me = getpid ();
|
||||
+ struct stat buf;
|
||||
+
|
||||
+ fprintf (stderr, "LD_PRELOAD module got loaded by process %d\n", me);
|
||||
+
|
||||
+ if (stat ("/.flatpak-info", &buf) == 0)
|
||||
+ {
|
||||
+ fprintf (stderr, "OK: pid %d is in a Flatpak sandbox\n", me);
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ /* If the --env=LD_PRELOAD had come from a call to flatpak-portal,
|
||||
+ * then this would be a sandbox escape (GHSA-4ppf-fxf6-vxg2). */
|
||||
+ fprintf (stderr, "Error: pid %d is not in a Flatpak sandbox\n", me);
|
||||
+ abort ();
|
||||
+ }
|
||||
+}
|
||||
diff --git a/tests/test-override.sh b/tests/test-override.sh
|
||||
index 1c7dafd3..47416a6d 100755
|
||||
--- a/tests/test-override.sh
|
||||
+++ b/tests/test-override.sh
|
||||
@@ -3,6 +3,11 @@
|
||||
set -euo pipefail
|
||||
|
||||
. $(dirname $0)/libtest.sh
|
||||
+if [ -e "${test_builddir}/.libs/libpreload.so" ]; then
|
||||
+ install "${test_builddir}/.libs/libpreload.so" "${test_tmpdir}"
|
||||
+else
|
||||
+ install "${test_builddir}/libpreload.so" "${test_tmpdir}"
|
||||
+fi
|
||||
|
||||
skip_revokefs_without_fuse
|
||||
|
||||
@@ -118,6 +123,7 @@ else
|
||||
${FLATPAK} override --user --show org.test.Hello > override
|
||||
|
||||
${FLATPAK} run --command=bash \
|
||||
+ --filesystem="${test_tmpdir}" \
|
||||
--env=FOO=BAR \
|
||||
--env=BAR= \
|
||||
--env-fd=3 \
|
||||
@@ -136,6 +142,18 @@ else
|
||||
# could see it
|
||||
assert_not_file_has_content out 3047225e-5e38-4357-b21c-eac83b7e8ea6
|
||||
|
||||
+ # libpreload.so will abort() if it gets loaded into the `flatpak run`
|
||||
+ # or `bwrap` processes, so if this succeeds, everything's OK
|
||||
+ ${FLATPAK} run --command=bash \
|
||||
+ --filesystem="${test_tmpdir}" \
|
||||
+ --env=LD_PRELOAD="${test_tmpdir}/libpreload.so" \
|
||||
+ org.test.Hello -c ''
|
||||
+ printf '%s\0' "LD_PRELOAD=${test_tmpdir}/libpreload.so" > env.ldpreload
|
||||
+ ${FLATPAK} run --command=bash \
|
||||
+ --filesystem="${test_tmpdir}" \
|
||||
+ --env-fd=3 \
|
||||
+ org.test.Hello -c '' 3<env.ldpreload
|
||||
+
|
||||
ok "temporary environment variables"
|
||||
fi
|
||||
|
||||
--
|
||||
2.29.2
|
||||
|
||||
|
||||
From e4a3720e49aa38d0ed07106663499f957c070847 Mon Sep 17 00:00:00 2001
|
||||
From: Simon McVittie <smcv@collabora.com>
|
||||
Date: Mon, 18 Jan 2021 17:52:13 +0000
|
||||
Subject: [PATCH 09/10] build: Convert environment into a sequence of bwrap
|
||||
arguments
|
||||
|
||||
This means we can systematically pass the environment variables
|
||||
through bwrap(1), even if it is setuid and thus is filtering out
|
||||
security-sensitive environment variables. bwrap itself ends up being
|
||||
run with an empty environment instead.
|
||||
|
||||
This fixes a regression when CVE-2021-21261 was fixed: before the
|
||||
CVE fixes, LD_LIBRARY_PATH would have been passed through like this
|
||||
and appeared in the `flatpak build` shell, but during the CVE fixes,
|
||||
the special case that protected LD_LIBRARY_PATH was removed in favour
|
||||
of the more general flatpak_bwrap_envp_to_args(). That reasoning only
|
||||
works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere
|
||||
that we run the potentially-setuid bwrap.
|
||||
|
||||
Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments"
|
||||
Resolves: https://github.com/flatpak/flatpak/issues/4080
|
||||
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323
|
||||
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||
---
|
||||
app/flatpak-builtins-build.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c
|
||||
index 5ecd2ef3..8616f3c8 100644
|
||||
--- a/app/flatpak-builtins-build.c
|
||||
+++ b/app/flatpak-builtins-build.c
|
||||
@@ -569,6 +569,8 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError
|
||||
NULL);
|
||||
}
|
||||
|
||||
+ flatpak_bwrap_envp_to_args (bwrap);
|
||||
+
|
||||
if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
|
||||
return FALSE;
|
||||
|
||||
--
|
||||
2.29.2
|
||||
|
||||
|
||||
From f830b97e81a626a43b160ccb5dad4fe934ab03fa Mon Sep 17 00:00:00 2001
|
||||
From: Simon McVittie <smcv@collabora.com>
|
||||
Date: Mon, 18 Jan 2021 18:07:38 +0000
|
||||
Subject: [PATCH 10/10] dir: Pass environment via bwrap --setenv when running
|
||||
apply_extra
|
||||
|
||||
This means we can systematically pass the environment variables
|
||||
through bwrap(1), even if it is setuid and thus is filtering out
|
||||
security-sensitive environment variables. bwrap ends up being
|
||||
run with an empty environment instead.
|
||||
|
||||
As with the previous commit, this regressed while fixing CVE-2021-21261.
|
||||
|
||||
Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments"
|
||||
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||
---
|
||||
common/flatpak-dir.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
|
||||
index c3ab8bcf..030b8a31 100644
|
||||
--- a/common/flatpak-dir.c
|
||||
+++ b/common/flatpak-dir.c
|
||||
@@ -7751,6 +7751,8 @@ apply_extra_data (FlatpakDir *self,
|
||||
app_context, NULL, NULL, NULL, cancellable, error))
|
||||
return FALSE;
|
||||
|
||||
+ flatpak_bwrap_envp_to_args (bwrap);
|
||||
+
|
||||
flatpak_bwrap_add_arg (bwrap, "/app/bin/apply_extra");
|
||||
|
||||
flatpak_bwrap_finish (bwrap);
|
||||
--
|
||||
2.29.2
|
||||
|
@ -1,161 +0,0 @@
|
||||
diff -urN flatpak-1.6.2/common/flatpak-oci-registry.c flatpak-1.6.2.new/common/flatpak-oci-registry.c
|
||||
--- flatpak-1.6.2/common/flatpak-oci-registry.c 2019-12-20 09:52:17.000000000 +0000
|
||||
+++ flatpak-1.6.2.new/common/flatpak-oci-registry.c 2020-03-20 12:01:39.923000000 +0000
|
||||
@@ -901,6 +901,7 @@
|
||||
|
||||
static char *
|
||||
get_token_for_www_auth (FlatpakOciRegistry *self,
|
||||
+ const char *repository,
|
||||
const char *www_authenticate,
|
||||
const char *auth,
|
||||
GCancellable *cancellable,
|
||||
@@ -911,6 +912,7 @@
|
||||
g_autoptr(GHashTable) params = NULL;
|
||||
g_autoptr(GHashTable) args = NULL;
|
||||
const char *realm, *service, *scope, *token;
|
||||
+ g_autofree char *default_scope = NULL;
|
||||
g_autoptr(SoupURI) auth_uri = NULL;
|
||||
g_autoptr(GBytes) body = NULL;
|
||||
g_autoptr(JsonNode) json = NULL;
|
||||
@@ -941,16 +943,21 @@
|
||||
service = g_hash_table_lookup (params, "service");
|
||||
if (service)
|
||||
g_hash_table_insert (args, "service", (char *)service);
|
||||
+
|
||||
scope = g_hash_table_lookup (params, "scope");
|
||||
- if (scope)
|
||||
- g_hash_table_insert (args, "scope", (char *)scope);
|
||||
+ if (scope == NULL)
|
||||
+ scope = default_scope = g_strdup_printf("repository:%s:pull", repository);
|
||||
+ g_hash_table_insert (args, "scope", (char *)scope);
|
||||
|
||||
soup_uri_set_query_from_form (auth_uri, args);
|
||||
|
||||
auth_msg = soup_message_new_from_uri ("GET", auth_uri);
|
||||
|
||||
- g_autofree char *basic_auth = g_strdup_printf ("Basic %s", auth);
|
||||
- soup_message_headers_replace (auth_msg->request_headers, "Authorization", basic_auth);
|
||||
+ if (auth)
|
||||
+ {
|
||||
+ g_autofree char *basic_auth = g_strdup_printf ("Basic %s", auth);
|
||||
+ soup_message_headers_replace (auth_msg->request_headers, "Authorization", basic_auth);
|
||||
+ }
|
||||
|
||||
auth_stream = soup_session_send (self->soup_session, auth_msg, NULL, error);
|
||||
if (auth_stream == NULL)
|
||||
@@ -1030,7 +1037,7 @@
|
||||
return NULL;
|
||||
}
|
||||
|
||||
- token = get_token_for_www_auth (self, www_authenticate, basic_auth, cancellable, error);
|
||||
+ token = get_token_for_www_auth (self, repository, www_authenticate, basic_auth, cancellable, error);
|
||||
if (token == NULL)
|
||||
return NULL;
|
||||
|
||||
diff -urN flatpak-1.6.2/oci-authenticator/flatpak-oci-authenticator.c flatpak-1.6.2.new/oci-authenticator/flatpak-oci-authenticator.c
|
||||
--- flatpak-1.6.2/oci-authenticator/flatpak-oci-authenticator.c 2019-12-19 09:33:40.000000000 +0000
|
||||
+++ flatpak-1.6.2.new/oci-authenticator/flatpak-oci-authenticator.c 2020-03-20 12:01:39.936000000 +0000
|
||||
@@ -428,10 +428,12 @@
|
||||
g_autoptr(GError) error = NULL;
|
||||
g_autoptr(AutoFlatpakAuthenticatorRequest) request = NULL;
|
||||
const char *auth = NULL;
|
||||
+ gboolean have_auth;
|
||||
const char *oci_registry_uri = NULL;
|
||||
gsize n_refs, i;
|
||||
gboolean no_interaction = FALSE;
|
||||
g_autoptr(FlatpakOciRegistry) registry = NULL;
|
||||
+ g_autofree char *first_token = NULL;
|
||||
GVariantBuilder tokens;
|
||||
GVariantBuilder results;
|
||||
g_autofree char *sender = g_strdup (g_dbus_method_invocation_get_sender (invocation));
|
||||
@@ -439,6 +441,7 @@
|
||||
g_debug ("handling Authenticator.RequestRefTokens");
|
||||
|
||||
g_variant_lookup (arg_authenticator_options, "auth", "&s", &auth);
|
||||
+ have_auth = auth != NULL;
|
||||
|
||||
if (!g_variant_lookup (arg_options, "xa.oci-registry-uri", "&s", &oci_registry_uri))
|
||||
{
|
||||
@@ -476,18 +479,33 @@
|
||||
return error_request (request, sender, error->message);
|
||||
|
||||
|
||||
- if (auth == NULL)
|
||||
+ /* Look up credentials in config files */
|
||||
+ if (!have_auth)
|
||||
{
|
||||
g_debug ("Looking for %s in auth info", oci_registry_uri);
|
||||
auth = lookup_auth_from_config (oci_registry_uri);
|
||||
+ have_auth = auth != NULL;
|
||||
}
|
||||
|
||||
+ /* Try to see if we can get a token without presenting credentials */
|
||||
n_refs = g_variant_n_children (arg_refs);
|
||||
- if (auth == NULL && n_refs > 0 &&
|
||||
+ if (!have_auth && n_refs > 0)
|
||||
+ {
|
||||
+ g_autoptr(GVariant) ref_data = g_variant_get_child_value (arg_refs, 0);
|
||||
+
|
||||
+ first_token = get_token_for_ref (registry, ref_data, NULL, &error);
|
||||
+ if (first_token != NULL)
|
||||
+ have_auth = TRUE;
|
||||
+ else
|
||||
+ g_clear_error (&error);
|
||||
+ }
|
||||
+
|
||||
+ /* Prompt the user for credentials */
|
||||
+ n_refs = g_variant_n_children (arg_refs);
|
||||
+ if (!have_auth && n_refs > 0 &&
|
||||
!no_interaction)
|
||||
{
|
||||
g_autoptr(GVariant) ref_data = g_variant_get_child_value (arg_refs, 0);
|
||||
- g_autofree char *token = NULL;
|
||||
|
||||
while (auth == NULL)
|
||||
{
|
||||
@@ -498,13 +516,21 @@
|
||||
if (test_auth == NULL)
|
||||
return cancel_request (request, sender);
|
||||
|
||||
- token = get_token_for_ref (registry, ref_data, test_auth, &error);
|
||||
- if (token != NULL)
|
||||
- auth = g_steal_pointer (&test_auth);
|
||||
+ first_token = get_token_for_ref (registry, ref_data, test_auth, &error);
|
||||
+ if (first_token != NULL)
|
||||
+ {
|
||||
+ auth = g_steal_pointer (&test_auth);
|
||||
+ have_auth = TRUE;
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ g_debug ("Failed to get token: %s", error->message);
|
||||
+ g_clear_error (&error);
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
- if (auth == NULL)
|
||||
+ if (!have_auth)
|
||||
return error_request (request, sender, "No authentication information available");
|
||||
|
||||
g_variant_builder_init (&tokens, G_VARIANT_TYPE ("a{sas}"));
|
||||
@@ -515,9 +541,16 @@
|
||||
char *for_refs_strv[2] = { NULL, NULL};
|
||||
g_autofree char *token = NULL;
|
||||
|
||||
- token = get_token_for_ref (registry, ref_data, auth, &error);
|
||||
- if (token == NULL)
|
||||
- return error_request (request, sender, error->message);
|
||||
+ if (i == 0 && first_token != NULL)
|
||||
+ {
|
||||
+ token = g_steal_pointer (&first_token);
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ token = get_token_for_ref (registry, ref_data, auth, &error);
|
||||
+ if (token == NULL)
|
||||
+ return error_request (request, sender, error->message);
|
||||
+ }
|
||||
|
||||
g_variant_get_child (ref_data, 0, "&s", &for_refs_strv[0]);
|
||||
g_variant_builder_add (&tokens, "{s^as}", token, for_refs_strv);
|
@ -1,322 +0,0 @@
|
||||
From 1b9a64e943e2233e009e01a08191b4c17580b3f6 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Larsson <alexl@redhat.com>
|
||||
Date: Mon, 4 May 2020 13:00:35 +0200
|
||||
Subject: [PATCH 1/7] oci authenticator: Accept the right docker manifest when
|
||||
authenticating
|
||||
|
||||
Without this I got for the fedora registry:
|
||||
|
||||
```
|
||||
getting token for https://registry.fedoraproject.org/v2/f32/flatpak-runtime/manifests/sha256:bd83b4f6974094848efac22b933419c1dbe11b553def148a82f821faf595de8a
|
||||
F: Anonymous authentication failed: Unexpected response status 404 from repo
|
||||
```
|
||||
|
||||
(cherry picked from commit 1ee132e70e5d0cb5fa0e022c2271f76bcfd03054)
|
||||
---
|
||||
common/flatpak-oci-registry.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/common/flatpak-oci-registry.c b/common/flatpak-oci-registry.c
|
||||
index 2505771ee..ae363bc1a 100644
|
||||
--- a/common/flatpak-oci-registry.c
|
||||
+++ b/common/flatpak-oci-registry.c
|
||||
@@ -1015,6 +1015,9 @@ flatpak_oci_registry_get_token (FlatpakOciRegistry *self,
|
||||
|
||||
msg = soup_message_new_from_uri ("HEAD", uri);
|
||||
|
||||
+ soup_message_headers_replace (msg->request_headers, "Accept",
|
||||
+ FLATPAK_OCI_MEDIA_TYPE_IMAGE_MANIFEST ", " FLATPAK_DOCKER_MEDIA_TYPE_IMAGE_MANIFEST2);
|
||||
+
|
||||
stream = soup_session_send (self->soup_session, msg, NULL, error);
|
||||
if (stream == NULL)
|
||||
return NULL;
|
||||
|
||||
From 0d4deebbd5855ceef1cdb5bac3d5c6fb630dc29e Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Larsson <alexl@redhat.com>
|
||||
Date: Mon, 4 May 2020 12:35:16 +0200
|
||||
Subject: [PATCH 2/7] By default, always try to auth to OCI remotes
|
||||
|
||||
This makes for instance docker hub work.
|
||||
|
||||
(cherry picked from commit fdfcae7a91e3af207c4acec918276511f112cafe)
|
||||
---
|
||||
common/flatpak-auth.c | 4 ++++
|
||||
common/flatpak-dir.c | 5 +++++
|
||||
2 files changed, 9 insertions(+)
|
||||
|
||||
diff --git a/common/flatpak-auth.c b/common/flatpak-auth.c
|
||||
index 9d0f689fc..9e45da41e 100644
|
||||
--- a/common/flatpak-auth.c
|
||||
+++ b/common/flatpak-auth.c
|
||||
@@ -49,6 +49,10 @@ flatpak_auth_new_for_remote (FlatpakDir *dir,
|
||||
if (!ostree_repo_get_remote_option (repo, remote, FLATPAK_REMOTE_CONFIG_AUTHENTICATOR_NAME, NULL, &name, error))
|
||||
return NULL;
|
||||
}
|
||||
+
|
||||
+ if (name == NULL && flatpak_dir_get_remote_oci (dir, remote))
|
||||
+ name = g_strdup ("org.flatpak.Authenticator.Oci");
|
||||
+
|
||||
if (name == NULL || *name == 0 /* or if no repo */)
|
||||
{
|
||||
flatpak_fail (error, _("No authenticator configured for remote `%s`"), remote);
|
||||
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
|
||||
index 2c8e12eaf..19de4fd38 100644
|
||||
--- a/common/flatpak-dir.c
|
||||
+++ b/common/flatpak-dir.c
|
||||
@@ -11233,6 +11233,11 @@ _flatpak_dir_get_remote_state (FlatpakDir *self,
|
||||
}
|
||||
}
|
||||
|
||||
+ if (flatpak_dir_get_remote_oci (self, remote_or_uri))
|
||||
+ {
|
||||
+ state->default_token_type = 1;
|
||||
+ }
|
||||
+
|
||||
if (state->collection_id == NULL)
|
||||
{
|
||||
if (state->summary != NULL) /* In the optional case we might not have a summary */
|
||||
|
||||
From 77e4db40f40a92f4f7e0ddb21ae367e9a0af9cb4 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Larsson <alexl@redhat.com>
|
||||
Date: Fri, 8 May 2020 15:09:02 +0200
|
||||
Subject: [PATCH 3/7] oci: Add flatpak_oci_registry_is_local()
|
||||
|
||||
(cherry picked from commit d4962628aa8db6132e98660fe52aa5a9ac5d3637)
|
||||
---
|
||||
common/flatpak-oci-registry-private.h | 1 +
|
||||
common/flatpak-oci-registry.c | 6 ++++++
|
||||
2 files changed, 7 insertions(+)
|
||||
|
||||
diff --git a/common/flatpak-oci-registry-private.h b/common/flatpak-oci-registry-private.h
|
||||
index 1804e43b6..6745c5f65 100644
|
||||
--- a/common/flatpak-oci-registry-private.h
|
||||
+++ b/common/flatpak-oci-registry-private.h
|
||||
@@ -62,6 +62,7 @@ FlatpakOciRegistry * flatpak_oci_registry_new (const char *uri,
|
||||
GError **error);
|
||||
void flatpak_oci_registry_set_token (FlatpakOciRegistry *self,
|
||||
const char *token);
|
||||
+gboolean flatpak_oci_registry_is_local (FlatpakOciRegistry *self);
|
||||
const char * flatpak_oci_registry_get_uri (FlatpakOciRegistry *self);
|
||||
FlatpakOciIndex * flatpak_oci_registry_load_index (FlatpakOciRegistry *self,
|
||||
GCancellable *cancellable,
|
||||
diff --git a/common/flatpak-oci-registry.c b/common/flatpak-oci-registry.c
|
||||
index ae363bc1a..fdeee56bd 100644
|
||||
--- a/common/flatpak-oci-registry.c
|
||||
+++ b/common/flatpak-oci-registry.c
|
||||
@@ -205,6 +205,12 @@ flatpak_oci_registry_init (FlatpakOciRegistry *self)
|
||||
self->tmp_dfd = -1;
|
||||
}
|
||||
|
||||
+gboolean
|
||||
+flatpak_oci_registry_is_local (FlatpakOciRegistry *self)
|
||||
+{
|
||||
+ return self->dfd != -1;
|
||||
+}
|
||||
+
|
||||
const char *
|
||||
flatpak_oci_registry_get_uri (FlatpakOciRegistry *self)
|
||||
{
|
||||
|
||||
From 3deeea1ad50b469f7daaca7e2e0d7ba9c5efc26e Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Larsson <alexl@redhat.com>
|
||||
Date: Fri, 8 May 2020 15:10:38 +0200
|
||||
Subject: [PATCH 4/7] oci: Set token on child oci registry and pass to
|
||||
system-helper
|
||||
|
||||
When we create a system child registry we also set the current token on
|
||||
it. This is not used directly in the client, however its saved in a
|
||||
file called .token and re-read in the system-helper, allowing it to
|
||||
also do the remote registry operations it needs to verify the child
|
||||
registry.
|
||||
|
||||
(cherry picked from commit 5d8fd2d1be914a26e128ab97be6f00e9c34bfa9d)
|
||||
---
|
||||
common/flatpak-dir.c | 8 ++++++--
|
||||
common/flatpak-oci-registry.c | 15 +++++++++++++++
|
||||
2 files changed, 21 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
|
||||
index 19de4fd38..25f874ecf 100644
|
||||
--- a/common/flatpak-dir.c
|
||||
+++ b/common/flatpak-dir.c
|
||||
@@ -92,6 +92,7 @@ G_DEFINE_AUTOPTR_CLEANUP_FUNC (AutoPolkitSubject, g_object_unref)
|
||||
|
||||
static FlatpakOciRegistry *flatpak_dir_create_system_child_oci_registry (FlatpakDir *self,
|
||||
GLnxLockFile *file_lock,
|
||||
+ const char *token,
|
||||
GError **error);
|
||||
|
||||
static OstreeRepo * flatpak_dir_create_child_repo (FlatpakDir *self,
|
||||
@@ -8602,6 +8603,7 @@ flatpak_dir_deploy_update (FlatpakDir *self,
|
||||
static FlatpakOciRegistry *
|
||||
flatpak_dir_create_system_child_oci_registry (FlatpakDir *self,
|
||||
GLnxLockFile *file_lock,
|
||||
+ const char *token,
|
||||
GError **error)
|
||||
{
|
||||
g_autoptr(GFile) cache_dir = NULL;
|
||||
@@ -8636,6 +8638,8 @@ flatpak_dir_create_system_child_oci_registry (FlatpakDir *self,
|
||||
if (new_registry == NULL)
|
||||
return NULL;
|
||||
|
||||
+ flatpak_oci_registry_set_token (new_registry, token);
|
||||
+
|
||||
return g_steal_pointer (&new_registry);
|
||||
}
|
||||
|
||||
@@ -8952,7 +8956,7 @@ flatpak_dir_install (FlatpakDir *self,
|
||||
g_autoptr(FlatpakOciRegistry) registry = NULL;
|
||||
g_autoptr(GFile) registry_file = NULL;
|
||||
|
||||
- registry = flatpak_dir_create_system_child_oci_registry (self, &child_repo_lock, error);
|
||||
+ registry = flatpak_dir_create_system_child_oci_registry (self, &child_repo_lock, token, error);
|
||||
if (registry == NULL)
|
||||
return FALSE;
|
||||
|
||||
@@ -9662,7 +9666,7 @@ flatpak_dir_update (FlatpakDir *self,
|
||||
g_autoptr(FlatpakOciRegistry) registry = NULL;
|
||||
g_autoptr(GFile) registry_file = NULL;
|
||||
|
||||
- registry = flatpak_dir_create_system_child_oci_registry (self, &child_repo_lock, error);
|
||||
+ registry = flatpak_dir_create_system_child_oci_registry (self, &child_repo_lock, token, error);
|
||||
if (registry == NULL)
|
||||
return FALSE;
|
||||
|
||||
diff --git a/common/flatpak-oci-registry.c b/common/flatpak-oci-registry.c
|
||||
index fdeee56bd..c3ddb8c2b 100644
|
||||
--- a/common/flatpak-oci-registry.c
|
||||
+++ b/common/flatpak-oci-registry.c
|
||||
@@ -223,8 +223,15 @@ flatpak_oci_registry_set_token (FlatpakOciRegistry *self,
|
||||
{
|
||||
g_free (self->token);
|
||||
self->token = g_strdup (token);
|
||||
+
|
||||
+ if (self->token)
|
||||
+ (void)glnx_file_replace_contents_at (self->dfd, ".token",
|
||||
+ (guchar *)self->token,
|
||||
+ strlen (self->token),
|
||||
+ 0, NULL, NULL);
|
||||
}
|
||||
|
||||
+
|
||||
FlatpakOciRegistry *
|
||||
flatpak_oci_registry_new (const char *uri,
|
||||
gboolean for_write,
|
||||
@@ -415,6 +422,7 @@ flatpak_oci_registry_ensure_local (FlatpakOciRegistry *self,
|
||||
int dfd;
|
||||
g_autoptr(GError) local_error = NULL;
|
||||
g_autoptr(GBytes) oci_layout_bytes = NULL;
|
||||
+ g_autoptr(GBytes) token_bytes = NULL;
|
||||
gboolean not_json;
|
||||
|
||||
if (self->dfd != -1)
|
||||
@@ -476,6 +484,13 @@ flatpak_oci_registry_ensure_local (FlatpakOciRegistry *self,
|
||||
else if (!verify_oci_version (oci_layout_bytes, ¬_json, cancellable, error))
|
||||
return FALSE;
|
||||
|
||||
+ if (self->dfd != -1)
|
||||
+ {
|
||||
+ token_bytes = local_load_file (self->dfd, ".token", cancellable, NULL);
|
||||
+ if (token_bytes != NULL)
|
||||
+ self->token = g_strndup (g_bytes_get_data (token_bytes, NULL), g_bytes_get_size (token_bytes));
|
||||
+ }
|
||||
+
|
||||
if (self->dfd == -1 && local_dfd != -1)
|
||||
self->dfd = glnx_steal_fd (&local_dfd);
|
||||
|
||||
|
||||
From 36f87863baa848c8709b75958c85857f45e97e0a Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Larsson <alexl@redhat.com>
|
||||
Date: Thu, 11 Jun 2020 15:43:16 +0200
|
||||
Subject: [PATCH 5/7] OCI: Also look for the docker media type when looking
|
||||
manifests
|
||||
|
||||
We handle both types, so look for both.
|
||||
|
||||
(cherry picked from commit 0fdec95fe068cd497b1c5a5b60d21103c711d2a4)
|
||||
---
|
||||
common/flatpak-json-oci.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/common/flatpak-json-oci.c b/common/flatpak-json-oci.c
|
||||
index 6d60279d0..f5b3f0a0c 100644
|
||||
--- a/common/flatpak-json-oci.c
|
||||
+++ b/common/flatpak-json-oci.c
|
||||
@@ -469,7 +469,8 @@ const char *
|
||||
flatpak_oci_manifest_descriptor_get_ref (FlatpakOciManifestDescriptor *m)
|
||||
{
|
||||
if (m->parent.mediatype == NULL ||
|
||||
- strcmp (m->parent.mediatype, FLATPAK_OCI_MEDIA_TYPE_IMAGE_MANIFEST) != 0)
|
||||
+ (strcmp (m->parent.mediatype, FLATPAK_OCI_MEDIA_TYPE_IMAGE_MANIFEST) != 0 &&
|
||||
+ strcmp (m->parent.mediatype, FLATPAK_DOCKER_MEDIA_TYPE_IMAGE_MANIFEST2) != 0))
|
||||
return NULL;
|
||||
|
||||
if (m->parent.annotations == NULL)
|
||||
|
||||
From 0da4a6c82c16d4560d4931d567e2685efd8dff0d Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Larsson <alexl@redhat.com>
|
||||
Date: Mon, 4 May 2020 15:51:48 +0200
|
||||
Subject: [PATCH 6/7] tests: Make OCI authenticator available
|
||||
|
||||
(cherry picked from commit 4d79110cb682b79819913aa6ce033cb7a7787c86)
|
||||
---
|
||||
tests/Makefile.am.inc | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/tests/Makefile.am.inc b/tests/Makefile.am.inc
|
||||
index 7c2e8271f..15f521485 100644
|
||||
--- a/tests/Makefile.am.inc
|
||||
+++ b/tests/Makefile.am.inc
|
||||
@@ -105,11 +105,15 @@ tests/services/org.flatpak.Authenticator.test.service: tests/org.flatpak.Authent
|
||||
mkdir -p tests/services
|
||||
$(AM_V_GEN) $(SED) -e "s|\@libexecdir\@|$(abs_top_builddir)/tests|" $< > $@
|
||||
|
||||
+tests/services/org.flatpak.Authenticator.Oci.service: oci-authenticator/org.flatpak.Authenticator.Oci.service.in
|
||||
+ mkdir -p tests/services
|
||||
+ $(AM_V_GEN) $(SED) -e "s|\@libexecdir\@|$(abs_top_builddir)|" $< > $@
|
||||
+
|
||||
tests/share/xdg-desktop-portal/portals/test.portal: tests/test.portal.in
|
||||
mkdir -p tests/share/xdg-desktop-portal/portals
|
||||
$(AM_V_GEN) install -m644 $< $@
|
||||
|
||||
-tests/libtest.sh: tests/services/org.freedesktop.Flatpak.service tests/services/org.freedesktop.Flatpak.SystemHelper.service tests/services/org.freedesktop.portal.Flatpak.service tests/share/xdg-desktop-portal/portals/test.portal tests/services/org.freedesktop.impl.portal.desktop.test.service tests/services/org.flatpak.Authenticator.test.service
|
||||
+tests/libtest.sh: tests/services/org.freedesktop.Flatpak.service tests/services/org.freedesktop.Flatpak.SystemHelper.service tests/services/org.freedesktop.portal.Flatpak.service tests/share/xdg-desktop-portal/portals/test.portal tests/services/org.freedesktop.impl.portal.desktop.test.service tests/services/org.flatpak.Authenticator.test.service tests/services/org.flatpak.Authenticator.Oci.service
|
||||
|
||||
install-test-data-hook:
|
||||
if ENABLE_INSTALLED_TESTS
|
||||
@@ -223,6 +227,7 @@ DISTCLEANFILES += \
|
||||
tests/services/org.freedesktop.portal.Flatpak.service \
|
||||
tests/services/org.freedesktop.impl.portal.desktop.test.service \
|
||||
tests/services/org.flatpak.Authenticator.test.service \
|
||||
+ tests/services/org.flatpak.Authenticator.Oci.service \
|
||||
tests/share/xdg-desktop-portal/portals/test.portal \
|
||||
tests/package_version.txt \
|
||||
$(NULL)
|
||||
|
||||
From 8fb4369439e57cc25c706610c5ce1ee776220278 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Larsson <alexl@redhat.com>
|
||||
Date: Mon, 4 May 2020 15:51:59 +0200
|
||||
Subject: [PATCH 7/7] Tests: Support HEAD requests in oci-registry-server
|
||||
|
||||
This just does a GET, which is not quite right, but will work.
|
||||
This is needed for the authenticator.
|
||||
|
||||
(cherry picked from commit 530475b9abff81d990424ca46ec57458e1bb9604)
|
||||
---
|
||||
tests/oci-registry-server.py | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/tests/oci-registry-server.py b/tests/oci-registry-server.py
|
||||
index 23c2db916..33c3b646b 100755
|
||||
--- a/tests/oci-registry-server.py
|
||||
+++ b/tests/oci-registry-server.py
|
||||
@@ -135,6 +135,9 @@ def do_GET(self):
|
||||
else:
|
||||
self.wfile.write(response_string.encode('utf-8'))
|
||||
|
||||
+ def do_HEAD(self):
|
||||
+ return self.do_GET()
|
||||
+
|
||||
def do_POST(self):
|
||||
if self.check_route('/testing/@repo_name/@tag'):
|
||||
repo_name = self.matches['repo_name']
|
73
SOURCES/flatpak-1.8.5-post-cve-fixes.patch
Normal file
73
SOURCES/flatpak-1.8.5-post-cve-fixes.patch
Normal file
@ -0,0 +1,73 @@
|
||||
From 93ecea3488081a726bcd2ddb04d557decaa87f80 Mon Sep 17 00:00:00 2001
|
||||
From: Simon McVittie <smcv@collabora.com>
|
||||
Date: Mon, 18 Jan 2021 17:52:13 +0000
|
||||
Subject: [PATCH] build: Convert environment into a sequence of bwrap arguments
|
||||
|
||||
This means we can systematically pass the environment variables
|
||||
through bwrap(1), even if it is setuid and thus is filtering out
|
||||
security-sensitive environment variables. bwrap itself ends up being
|
||||
run with an empty environment instead.
|
||||
|
||||
This fixes a regression when CVE-2021-21261 was fixed: before the
|
||||
CVE fixes, LD_LIBRARY_PATH would have been passed through like this
|
||||
and appeared in the `flatpak build` shell, but during the CVE fixes,
|
||||
the special case that protected LD_LIBRARY_PATH was removed in favour
|
||||
of the more general flatpak_bwrap_envp_to_args(). That reasoning only
|
||||
works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere
|
||||
that we run the potentially-setuid bwrap.
|
||||
|
||||
Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments"
|
||||
Resolves: https://github.com/flatpak/flatpak/issues/4080
|
||||
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323
|
||||
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||
(cherry picked from commit 9a61d2c44f0a58cebcb9b2787ae88db07ca68bb0)
|
||||
---
|
||||
app/flatpak-builtins-build.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c
|
||||
index 8da0de814..07ef6fc07 100644
|
||||
--- a/app/flatpak-builtins-build.c
|
||||
+++ b/app/flatpak-builtins-build.c
|
||||
@@ -569,6 +569,8 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError
|
||||
NULL);
|
||||
}
|
||||
|
||||
+ flatpak_bwrap_envp_to_args (bwrap);
|
||||
+
|
||||
if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
|
||||
return FALSE;
|
||||
|
||||
From f91857c07ede7ef5150a38d6b8e49ee43d6b3d50 Mon Sep 17 00:00:00 2001
|
||||
From: Simon McVittie <smcv@collabora.com>
|
||||
Date: Mon, 18 Jan 2021 18:07:38 +0000
|
||||
Subject: [PATCH] dir: Pass environment via bwrap --setenv when running
|
||||
apply_extra
|
||||
|
||||
This means we can systematically pass the environment variables
|
||||
through bwrap(1), even if it is setuid and thus is filtering out
|
||||
security-sensitive environment variables. bwrap ends up being
|
||||
run with an empty environment instead.
|
||||
|
||||
As with the previous commit, this regressed while fixing CVE-2021-21261.
|
||||
|
||||
Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments"
|
||||
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||
(cherry picked from commit fb473cad801c6b61706353256cab32330557374a)
|
||||
---
|
||||
common/flatpak-dir.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
|
||||
index ed1248e74..40767fa77 100644
|
||||
--- a/common/flatpak-dir.c
|
||||
+++ b/common/flatpak-dir.c
|
||||
@@ -7426,6 +7426,8 @@ apply_extra_data (FlatpakDir *self,
|
||||
app_context, NULL, NULL, NULL, cancellable, error))
|
||||
return FALSE;
|
||||
|
||||
+ flatpak_bwrap_envp_to_args (bwrap);
|
||||
+
|
||||
flatpak_bwrap_add_arg (bwrap, "/app/bin/apply_extra");
|
||||
|
||||
flatpak_bwrap_finish (bwrap);
|
@ -2,24 +2,17 @@
|
||||
%global ostree_version 2018.9
|
||||
|
||||
Name: flatpak
|
||||
Version: 1.6.2
|
||||
Release: 6%{?dist}
|
||||
Version: 1.8.5
|
||||
Release: 3%{?dist}
|
||||
Summary: Application deployment framework for desktop apps
|
||||
|
||||
License: LGPLv2+
|
||||
URL: http://flatpak.org/
|
||||
Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1814045
|
||||
Patch0: flatpak-1.6.2-oci-fixes.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1847201
|
||||
Patch1: flatpak-1.6.2-oci-fixes2.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1878231
|
||||
# https://github.com/flatpak/flatpak/pull/3845
|
||||
Patch2: 3845.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1918774
|
||||
Patch3: flatpak-1.6.2-fix-CVE-2021-21261.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1938062
|
||||
Patch4: flatpak-1.6.2-fix-CVE-2021-21381.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1918776
|
||||
Patch0: flatpak-1.8.5-post-cve-fixes.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1938063
|
||||
Patch1: flatpak-1.8.5-fix-CVE-2021-21381.patch
|
||||
|
||||
BuildRequires: pkgconfig(appstream-glib)
|
||||
BuildRequires: pkgconfig(dconf)
|
||||
@ -33,6 +26,7 @@ BuildRequires: pkgconfig(libseccomp)
|
||||
BuildRequires: pkgconfig(libsoup-2.4)
|
||||
BuildRequires: pkgconfig(libsystemd)
|
||||
BuildRequires: pkgconfig(libxml-2.0) >= 2.4
|
||||
BuildRequires: pkgconfig(libzstd) >= 0.8.1
|
||||
BuildRequires: pkgconfig(ostree-1) >= %{ostree_version}
|
||||
BuildRequires: pkgconfig(polkit-gobject-1)
|
||||
BuildRequires: pkgconfig(xau)
|
||||
@ -43,7 +37,9 @@ BuildRequires: docbook-style-xsl
|
||||
BuildRequires: gettext
|
||||
BuildRequires: gpgme-devel
|
||||
BuildRequires: libcap-devel
|
||||
BuildRequires: python3-pyparsing
|
||||
BuildRequires: systemd
|
||||
BuildRequires: /usr/bin/python3
|
||||
BuildRequires: /usr/bin/xmlto
|
||||
BuildRequires: /usr/bin/xsltproc
|
||||
|
||||
@ -192,8 +188,7 @@ fi
|
||||
%{_datadir}/dbus-1/services/org.flatpak.Authenticator.Oci.service
|
||||
%{_datadir}/dbus-1/services/org.freedesktop.portal.Flatpak.service
|
||||
%{_datadir}/dbus-1/system-services/org.freedesktop.Flatpak.SystemHelper.service
|
||||
# Co-own directory.
|
||||
%{_datadir}/gdm/env.d
|
||||
%{_datadir}/fish
|
||||
%{_datadir}/%{name}
|
||||
%{_datadir}/polkit-1/actions/org.freedesktop.Flatpak.policy
|
||||
%{_datadir}/polkit-1/rules.d/org.freedesktop.Flatpak.rules
|
||||
@ -214,6 +209,7 @@ fi
|
||||
%{_sysconfdir}/dbus-1/system.d/org.freedesktop.Flatpak.SystemHelper.conf
|
||||
%{_sysconfdir}/flatpak/remotes.d
|
||||
%{_sysconfdir}/profile.d/flatpak.sh
|
||||
%{_sysusersdir}/flatpak.conf
|
||||
%{_unitdir}/flatpak-system-helper.service
|
||||
%{_userunitdir}/flatpak-oci-authenticator.service
|
||||
%{_userunitdir}/flatpak-portal.service
|
||||
@ -248,11 +244,20 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Mon Mar 22 2021 David King <dking@redhat.com> - 1.6.2-6
|
||||
- Fix CVE-2021-21381 (#1938062)
|
||||
* Mon Mar 22 2021 David King <dking@redhat.com> - 1.8.5-3
|
||||
- Fix CVE-2021-21381 (#1938063)
|
||||
|
||||
* Tue Jan 26 2021 David King <dking@redhat.com> - 1.6.2-5
|
||||
- Fix CVE-2021-21261 (#1918774)
|
||||
* Mon Jan 25 2021 David King <dking@redhat.com> - 1.8.5-2
|
||||
- Apply post-release CVE fixes (#1918776)
|
||||
|
||||
* Thu Jan 14 2021 David King <dking@redhat.com> - 1.8.5-1
|
||||
- Rebase to 1.8.5 (#1851958)
|
||||
|
||||
* Tue Nov 17 2020 David King <dking@redhat.com> - 1.8.3-1
|
||||
- Rebase to 1.8.3 (#1851958)
|
||||
|
||||
* Mon Oct 05 2020 David King <dking@redhat.com> - 1.8.2-1
|
||||
- Rebase to 1.8.2 (#1851958)
|
||||
|
||||
* Mon Sep 14 2020 Kalev Lember <klember@redhat.com> - 1.6.2-4
|
||||
- OCI: extract appstream data for runtimes (#1878231)
|
||||
|
Loading…
Reference in New Issue
Block a user