forked from rpms/flatpak
import flatpak-1.8.5-4.el8_4
This commit is contained in:
parent
24ffc0f355
commit
42c625ff8c
818
SOURCES/flatpak-1.8.5-fix-CVE-2021-41133.patch
Normal file
818
SOURCES/flatpak-1.8.5-fix-CVE-2021-41133.patch
Normal file
@ -0,0 +1,818 @@
|
||||
From e49dee0f37e0264ecd55b86832955d8b98d0d74d Mon Sep 17 00:00:00 2001
|
||||
From: Simon McVittie <smcv@collabora.com>
|
||||
Date: Wed, 1 Sep 2021 11:53:23 +0100
|
||||
Subject: [PATCH 01/11] run: Add an errno value to seccomp filters
|
||||
|
||||
At the moment, if we block a syscall we always make it fail with EPERM,
|
||||
but this is risky: user-space libraries can start to use new replacements
|
||||
for old syscalls at any time, and will often treat EPERM as a fatal error.
|
||||
For new syscalls, we should make the syscall fail with ENOSYS, which is
|
||||
indistinguishable from running on an older kernel and will cause fallback
|
||||
to an older implementation, for example clone3() to clone().
|
||||
|
||||
In future we should probably move from EPERM to ENOSYS for some of the
|
||||
syscalls we already block, but for now keep the status quo.
|
||||
|
||||
This is a prerequisite for fixing the vulnerability tracked as
|
||||
GHSA-67h7-w3jq-vh4q.
|
||||
|
||||
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||
---
|
||||
common/flatpak-run.c | 62 +++++++++++++++++++++++++-------------------
|
||||
1 file changed, 36 insertions(+), 26 deletions(-)
|
||||
|
||||
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
|
||||
index 3e26710009f9..14212e1f6e55 100644
|
||||
--- a/common/flatpak-run.c
|
||||
+++ b/common/flatpak-run.c
|
||||
@@ -2623,61 +2623,63 @@ setup_seccomp (FlatpakBwrap *bwrap,
|
||||
struct
|
||||
{
|
||||
int scall;
|
||||
+ int errnum;
|
||||
struct scmp_arg_cmp *arg;
|
||||
} syscall_blocklist[] = {
|
||||
/* Block dmesg */
|
||||
- {SCMP_SYS (syslog)},
|
||||
+ {SCMP_SYS (syslog), EPERM},
|
||||
/* Useless old syscall */
|
||||
- {SCMP_SYS (uselib)},
|
||||
+ {SCMP_SYS (uselib), EPERM},
|
||||
/* Don't allow disabling accounting */
|
||||
- {SCMP_SYS (acct)},
|
||||
+ {SCMP_SYS (acct), EPERM},
|
||||
/* 16-bit code is unnecessary in the sandbox, and modify_ldt is a
|
||||
historic source of interesting information leaks. */
|
||||
- {SCMP_SYS (modify_ldt)},
|
||||
+ {SCMP_SYS (modify_ldt), EPERM},
|
||||
/* Don't allow reading current quota use */
|
||||
- {SCMP_SYS (quotactl)},
|
||||
+ {SCMP_SYS (quotactl), EPERM},
|
||||
|
||||
/* Don't allow access to the kernel keyring */
|
||||
- {SCMP_SYS (add_key)},
|
||||
- {SCMP_SYS (keyctl)},
|
||||
- {SCMP_SYS (request_key)},
|
||||
+ {SCMP_SYS (add_key), EPERM},
|
||||
+ {SCMP_SYS (keyctl), EPERM},
|
||||
+ {SCMP_SYS (request_key), EPERM},
|
||||
|
||||
/* Scary VM/NUMA ops */
|
||||
- {SCMP_SYS (move_pages)},
|
||||
- {SCMP_SYS (mbind)},
|
||||
- {SCMP_SYS (get_mempolicy)},
|
||||
- {SCMP_SYS (set_mempolicy)},
|
||||
- {SCMP_SYS (migrate_pages)},
|
||||
+ {SCMP_SYS (move_pages), EPERM},
|
||||
+ {SCMP_SYS (mbind), EPERM},
|
||||
+ {SCMP_SYS (get_mempolicy), EPERM},
|
||||
+ {SCMP_SYS (set_mempolicy), EPERM},
|
||||
+ {SCMP_SYS (migrate_pages), EPERM},
|
||||
|
||||
/* Don't allow subnamespace setups: */
|
||||
- {SCMP_SYS (unshare)},
|
||||
- {SCMP_SYS (mount)},
|
||||
- {SCMP_SYS (pivot_root)},
|
||||
+ {SCMP_SYS (unshare), EPERM},
|
||||
+ {SCMP_SYS (mount), EPERM},
|
||||
+ {SCMP_SYS (pivot_root), EPERM},
|
||||
#if defined(__s390__) || defined(__s390x__) || defined(__CRIS__)
|
||||
/* Architectures with CONFIG_CLONE_BACKWARDS2: the child stack
|
||||
* and flags arguments are reversed so the flags come second */
|
||||
- {SCMP_SYS (clone), &SCMP_A1 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},
|
||||
+ {SCMP_SYS (clone), EPERM, &SCMP_A1 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},
|
||||
#else
|
||||
/* Normally the flags come first */
|
||||
- {SCMP_SYS (clone), &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},
|
||||
+ {SCMP_SYS (clone), EPERM, &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},
|
||||
#endif
|
||||
|
||||
/* Don't allow faking input to the controlling tty (CVE-2017-5226) */
|
||||
- {SCMP_SYS (ioctl), &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)},
|
||||
+ {SCMP_SYS (ioctl), EPERM, &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)},
|
||||
};
|
||||
|
||||
struct
|
||||
{
|
||||
int scall;
|
||||
+ int errnum;
|
||||
struct scmp_arg_cmp *arg;
|
||||
} syscall_nondevel_blocklist[] = {
|
||||
/* Profiling operations; we expect these to be done by tools from outside
|
||||
* the sandbox. In particular perf has been the source of many CVEs.
|
||||
*/
|
||||
- {SCMP_SYS (perf_event_open)},
|
||||
+ {SCMP_SYS (perf_event_open), EPERM},
|
||||
/* Don't allow you to switch to bsd emulation or whatnot */
|
||||
- {SCMP_SYS (personality), &SCMP_A0 (SCMP_CMP_NE, allowed_personality)},
|
||||
- {SCMP_SYS (ptrace)}
|
||||
+ {SCMP_SYS (personality), EPERM, &SCMP_A0 (SCMP_CMP_NE, allowed_personality)},
|
||||
+ {SCMP_SYS (ptrace), EPERM}
|
||||
};
|
||||
/* Blocklist all but unix, inet, inet6 and netlink */
|
||||
struct
|
||||
@@ -2762,10 +2764,14 @@ setup_seccomp (FlatpakBwrap *bwrap,
|
||||
for (i = 0; i < G_N_ELEMENTS (syscall_blocklist); i++)
|
||||
{
|
||||
int scall = syscall_blocklist[i].scall;
|
||||
+ int errnum = syscall_blocklist[i].errnum;
|
||||
+
|
||||
+ g_return_val_if_fail (errnum == EPERM || errnum == ENOSYS, FALSE);
|
||||
+
|
||||
if (syscall_blocklist[i].arg)
|
||||
- r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (EPERM), scall, 1, *syscall_blocklist[i].arg);
|
||||
+ r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 1, *syscall_blocklist[i].arg);
|
||||
else
|
||||
- r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (EPERM), scall, 0);
|
||||
+ r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0);
|
||||
if (r < 0 && r == -EFAULT /* unknown syscall */)
|
||||
return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall);
|
||||
}
|
||||
@@ -2775,10 +2781,14 @@ setup_seccomp (FlatpakBwrap *bwrap,
|
||||
for (i = 0; i < G_N_ELEMENTS (syscall_nondevel_blocklist); i++)
|
||||
{
|
||||
int scall = syscall_nondevel_blocklist[i].scall;
|
||||
+ int errnum = syscall_nondevel_blocklist[i].errnum;
|
||||
+
|
||||
+ g_return_val_if_fail (errnum == EPERM || errnum == ENOSYS, FALSE);
|
||||
+
|
||||
if (syscall_nondevel_blocklist[i].arg)
|
||||
- r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (EPERM), scall, 1, *syscall_nondevel_blocklist[i].arg);
|
||||
+ r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 1, *syscall_nondevel_blocklist[i].arg);
|
||||
else
|
||||
- r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (EPERM), scall, 0);
|
||||
+ r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0);
|
||||
|
||||
if (r < 0 && r == -EFAULT /* unknown syscall */)
|
||||
return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall);
|
||||
--
|
||||
2.31.1
|
||||
|
||||
|
||||
From 0f1fbc35a6c3d17465614427fadaf9866984a297 Mon Sep 17 00:00:00 2001
|
||||
From: Simon McVittie <smcv@collabora.com>
|
||||
Date: Wed, 1 Sep 2021 12:44:04 +0100
|
||||
Subject: [PATCH 02/11] run: Add cross-references for some other seccomp
|
||||
syscall filters
|
||||
|
||||
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||
---
|
||||
common/flatpak-run.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
|
||||
index 14212e1f6e55..d51e535b822f 100644
|
||||
--- a/common/flatpak-run.c
|
||||
+++ b/common/flatpak-run.c
|
||||
@@ -2618,6 +2618,10 @@ setup_seccomp (FlatpakBwrap *bwrap,
|
||||
* https://git.gnome.org/browse/linux-user-chroot
|
||||
* in src/setup-seccomp.c
|
||||
*
|
||||
+ * Other useful resources:
|
||||
+ * https://github.com/systemd/systemd/blob/HEAD/src/shared/seccomp-util.c
|
||||
+ * https://github.com/moby/moby/blob/HEAD/profiles/seccomp/default.json
|
||||
+ *
|
||||
**** END NOTE ON CODE SHARING
|
||||
*/
|
||||
struct
|
||||
--
|
||||
2.31.1
|
||||
|
||||
|
||||
From 5dcb1f731c6dacf85ad5ea61230f049cbf2b3bbf Mon Sep 17 00:00:00 2001
|
||||
From: Simon McVittie <smcv@collabora.com>
|
||||
Date: Wed, 1 Sep 2021 14:17:04 +0100
|
||||
Subject: [PATCH 03/11] common: Add a list of recently-added Linux syscalls
|
||||
|
||||
Historically, syscalls could take arbitrarily-different values on
|
||||
different architectures, but new syscalls are added with syscall numbers
|
||||
that align on each architecture.
|
||||
|
||||
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||
---
|
||||
common/Makefile.am.inc | 1 +
|
||||
common/flatpak-run.c | 2 +
|
||||
common/flatpak-syscalls-private.h | 197 ++++++++++++++++++++++++++++++
|
||||
3 files changed, 200 insertions(+)
|
||||
create mode 100644 common/flatpak-syscalls-private.h
|
||||
|
||||
diff --git a/common/Makefile.am.inc b/common/Makefile.am.inc
|
||||
index 82d85ad78724..599146ab00b9 100644
|
||||
--- a/common/Makefile.am.inc
|
||||
+++ b/common/Makefile.am.inc
|
||||
@@ -153,6 +153,7 @@ libflatpak_common_la_SOURCES = \
|
||||
common/flatpak-remote.c \
|
||||
common/flatpak-run-private.h \
|
||||
common/flatpak-run.c \
|
||||
+ common/flatpak-syscalls-private.h \
|
||||
common/flatpak-transaction-private.h \
|
||||
common/flatpak-transaction.c \
|
||||
common/flatpak-transaction.h \
|
||||
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
|
||||
index d51e535b822f..7015b11a07fe 100644
|
||||
--- a/common/flatpak-run.c
|
||||
+++ b/common/flatpak-run.c
|
||||
@@ -41,6 +41,8 @@
|
||||
#include <libmalcontent/malcontent.h>
|
||||
#endif
|
||||
|
||||
+#include "flatpak-syscalls-private.h"
|
||||
+
|
||||
#ifdef ENABLE_SECCOMP
|
||||
#include <seccomp.h>
|
||||
#endif
|
||||
diff --git a/common/flatpak-syscalls-private.h b/common/flatpak-syscalls-private.h
|
||||
new file mode 100644
|
||||
index 000000000000..04eb38ce3631
|
||||
--- /dev/null
|
||||
+++ b/common/flatpak-syscalls-private.h
|
||||
@@ -0,0 +1,197 @@
|
||||
+/*
|
||||
+ * Copyright 2021 Collabora Ltd.
|
||||
+ * SPDX-License-Identifier: LGPL-2.1-or-later
|
||||
+ *
|
||||
+ * This program is free software; you can redistribute it and/or
|
||||
+ * modify it under the terms of the GNU Lesser General Public
|
||||
+ * License as published by the Free Software Foundation; either
|
||||
+ * version 2.1 of the License, or (at your option) any later version.
|
||||
+ *
|
||||
+ * This library is distributed in the hope that it will be useful,
|
||||
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
+ * Lesser General Public License for more details.
|
||||
+ *
|
||||
+ * You should have received a copy of the GNU Lesser General Public
|
||||
+ * License along with this library. If not, see <http://www.gnu.org/licenses/>.
|
||||
+ */
|
||||
+
|
||||
+#pragma once
|
||||
+
|
||||
+#include <sys/syscall.h>
|
||||
+
|
||||
+#if defined(_MIPS_SIM)
|
||||
+# if _MIPS_SIM == _MIPS_SIM_ABI32
|
||||
+# define FLATPAK_MISSING_SYSCALL_BASE 4000
|
||||
+# elif _MIPS_SIM == _MIPS_SIM_ABI64
|
||||
+# define FLATPAK_MISSING_SYSCALL_BASE 5000
|
||||
+# elif _MIPS_SIM == _MIPS_SIM_NABI32
|
||||
+# define FLATPAK_MISSING_SYSCALL_BASE 6000
|
||||
+# else
|
||||
+# error "Unknown MIPS ABI"
|
||||
+# endif
|
||||
+#endif
|
||||
+
|
||||
+#if defined(__ia64__)
|
||||
+# define FLATPAK_MISSING_SYSCALL_BASE 1024
|
||||
+#endif
|
||||
+
|
||||
+#if defined(__alpha__)
|
||||
+# define FLATPAK_MISSING_SYSCALL_BASE 110
|
||||
+#endif
|
||||
+
|
||||
+#if defined(__x86_64__) && defined(__ILP32__)
|
||||
+# define FLATPAK_MISSING_SYSCALL_BASE 0x40000000
|
||||
+#endif
|
||||
+
|
||||
+/*
|
||||
+ * FLATPAK_MISSING_SYSCALL_BASE:
|
||||
+ *
|
||||
+ * Number to add to the syscall numbers of recently-added syscalls
|
||||
+ * to get the appropriate syscall for the current ABI.
|
||||
+ */
|
||||
+#ifndef FLATPAK_MISSING_SYSCALL_BASE
|
||||
+# define FLATPAK_MISSING_SYSCALL_BASE 0
|
||||
+#endif
|
||||
+
|
||||
+#ifndef __NR_open_tree
|
||||
+# define __NR_open_tree (FLATPAK_MISSING_SYSCALL_BASE + 428)
|
||||
+#endif
|
||||
+#ifndef __SNR_open_tree
|
||||
+# define __SNR_open_tree __NR_open_tree
|
||||
+#endif
|
||||
+
|
||||
+#ifndef __NR_move_mount
|
||||
+# define __NR_move_mount (FLATPAK_MISSING_SYSCALL_BASE + 429)
|
||||
+#endif
|
||||
+#ifndef __SNR_move_mount
|
||||
+# define __SNR_move_mount __NR_move_mount
|
||||
+#endif
|
||||
+
|
||||
+#ifndef __NR_fsopen
|
||||
+# define __NR_fsopen (FLATPAK_MISSING_SYSCALL_BASE + 430)
|
||||
+#endif
|
||||
+#ifndef __SNR_fsopen
|
||||
+# define __SNR_fsopen __NR_fsopen
|
||||
+#endif
|
||||
+
|
||||
+#ifndef __NR_fsconfig
|
||||
+# define __NR_fsconfig (FLATPAK_MISSING_SYSCALL_BASE + 431)
|
||||
+#endif
|
||||
+#ifndef __SNR_fsconfig
|
||||
+# define __SNR_fsconfig __NR_fsconfig
|
||||
+#endif
|
||||
+
|
||||
+#ifndef __NR_fsmount
|
||||
+# define __NR_fsmount (FLATPAK_MISSING_SYSCALL_BASE + 432)
|
||||
+#endif
|
||||
+#ifndef __SNR_fsmount
|
||||
+# define __SNR_fsmount __NR_fsmount
|
||||
+#endif
|
||||
+
|
||||
+#ifndef __NR_fspick
|
||||
+# define __NR_fspick (FLATPAK_MISSING_SYSCALL_BASE + 433)
|
||||
+#endif
|
||||
+#ifndef __SNR_fspick
|
||||
+# define __SNR_fspick __NR_fspick
|
||||
+#endif
|
||||
+
|
||||
+#ifndef __NR_pidfd_open
|
||||
+# define __NR_pidfd_open (FLATPAK_MISSING_SYSCALL_BASE + 434)
|
||||
+#endif
|
||||
+#ifndef __SNR_pidfd_open
|
||||
+# define __SNR_pidfd_open __NR_pidfd_open
|
||||
+#endif
|
||||
+
|
||||
+#ifndef __NR_clone3
|
||||
+# define __NR_clone3 (FLATPAK_MISSING_SYSCALL_BASE + 435)
|
||||
+#endif
|
||||
+#ifndef __SNR_clone3
|
||||
+# define __SNR_clone3 __NR_clone3
|
||||
+#endif
|
||||
+
|
||||
+#ifndef __NR_close_range
|
||||
+# define __NR_close_range (FLATPAK_MISSING_SYSCALL_BASE + 436)
|
||||
+#endif
|
||||
+#ifndef __SNR_close_range
|
||||
+# define __SNR_close_range __NR_close_range
|
||||
+#endif
|
||||
+
|
||||
+#ifndef __NR_openat2
|
||||
+# define __NR_openat2 (FLATPAK_MISSING_SYSCALL_BASE + 437)
|
||||
+#endif
|
||||
+#ifndef __SNR_openat2
|
||||
+# define __SNR_openat2 __NR_openat2
|
||||
+#endif
|
||||
+
|
||||
+#ifndef __NR_pidfd_getfd
|
||||
+# define __NR_pidfd_getfd (FLATPAK_MISSING_SYSCALL_BASE + 438)
|
||||
+#endif
|
||||
+#ifndef __SNR_pidfd_getfd
|
||||
+# define __SNR_pidfd_getfd __NR_pidfd_getfd
|
||||
+#endif
|
||||
+
|
||||
+#ifndef __NR_faccessat2
|
||||
+# define __NR_faccessat2 (FLATPAK_MISSING_SYSCALL_BASE + 439)
|
||||
+#endif
|
||||
+#ifndef __SNR_faccessat2
|
||||
+# define __SNR_faccessat2 __NR_faccessat2
|
||||
+#endif
|
||||
+
|
||||
+#ifndef __NR_process_madvise
|
||||
+# define __NR_process_madvise (FLATPAK_MISSING_SYSCALL_BASE + 440)
|
||||
+#endif
|
||||
+#ifndef __SNR_process_madvise
|
||||
+# define __SNR_process_madvise __NR_process_madvise
|
||||
+#endif
|
||||
+
|
||||
+#ifndef __NR_epoll_pwait2
|
||||
+# define __NR_epoll_pwait2 (FLATPAK_MISSING_SYSCALL_BASE + 441)
|
||||
+#endif
|
||||
+#ifndef __SNR_epoll_pwait2
|
||||
+# define __SNR_epoll_pwait2 __NR_epoll_pwait2
|
||||
+#endif
|
||||
+
|
||||
+#ifndef __NR_mount_setattr
|
||||
+# define __NR_mount_setattr (FLATPAK_MISSING_SYSCALL_BASE + 442)
|
||||
+#endif
|
||||
+#ifndef __SNR_mount_setattr
|
||||
+# define __SNR_mount_setattr __NR_mount_setattr
|
||||
+#endif
|
||||
+
|
||||
+#ifndef __NR_quotactl_fd
|
||||
+# define __NR_quotactl_fd (FLATPAK_MISSING_SYSCALL_BASE + 443)
|
||||
+#endif
|
||||
+#ifndef __SNR_quotactl_fd
|
||||
+# define __SNR_quotactl_fd __NR_quotactl_fd
|
||||
+#endif
|
||||
+
|
||||
+#ifndef __NR_landlock_create_ruleset
|
||||
+# define __NR_landlock_create_ruleset (FLATPAK_MISSING_SYSCALL_BASE + 444)
|
||||
+#endif
|
||||
+#ifndef __SNR_landlock_create_ruleset
|
||||
+# define __SNR_landlock_create_ruleset __NR_landlock_create_ruleset
|
||||
+#endif
|
||||
+
|
||||
+#ifndef __NR_landlock_add_rule
|
||||
+# define __NR_landlock_add_rule (FLATPAK_MISSING_SYSCALL_BASE + 445)
|
||||
+#endif
|
||||
+#ifndef __SNR_landlock_add_rule
|
||||
+# define __SNR_landlock_add_rule __NR_landlock_add_rule
|
||||
+#endif
|
||||
+
|
||||
+#ifndef __NR_landlock_restrict_self
|
||||
+# define __NR_landlock_restrict_self (FLATPAK_MISSING_SYSCALL_BASE + 446)
|
||||
+#endif
|
||||
+#ifndef __SNR_landlock_restrict_self
|
||||
+# define __SNR_landlock_restrict_self __NR_landlock_restrict_self
|
||||
+#endif
|
||||
+
|
||||
+#ifndef __NR_memfd_secret
|
||||
+# define __NR_memfd_secret (FLATPAK_MISSING_SYSCALL_BASE + 447)
|
||||
+#endif
|
||||
+#ifndef __SNR_memfd_secret
|
||||
+# define __SNR_memfd_secret __NR_memfd_secret
|
||||
+#endif
|
||||
+
|
||||
+/* Last updated: Linux 5.14, syscall numbers < 448 */
|
||||
--
|
||||
2.31.1
|
||||
|
||||
|
||||
From 2965b7fa2de4ff13b712dd6ffa7e77bfb431530c Mon Sep 17 00:00:00 2001
|
||||
From: Simon McVittie <smcv@collabora.com>
|
||||
Date: Wed, 1 Sep 2021 11:59:00 +0100
|
||||
Subject: [PATCH 04/11] run: Block clone3() in sandbox
|
||||
|
||||
clone3() can be used to implement clone() with CLONE_NEWUSER, allowing
|
||||
a sandboxed process to get CAP_SYS_ADMIN in a new namespace and
|
||||
manipulate its root directory. We need to block this so that AF_UNIX-based
|
||||
socket servers (X11, Wayland, etc.) can rely on
|
||||
/proc/PID/root/.flatpak-info existing for all Flatpak-sandboxed apps.
|
||||
|
||||
Partially fixes GHSA-67h7-w3jq-vh4q.
|
||||
|
||||
Thanks: an anonymous reporter
|
||||
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||
---
|
||||
common/flatpak-run.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
|
||||
index 7015b11a07fe..25b3ca40a65a 100644
|
||||
--- a/common/flatpak-run.c
|
||||
+++ b/common/flatpak-run.c
|
||||
@@ -2671,6 +2671,12 @@ setup_seccomp (FlatpakBwrap *bwrap,
|
||||
|
||||
/* Don't allow faking input to the controlling tty (CVE-2017-5226) */
|
||||
{SCMP_SYS (ioctl), EPERM, &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)},
|
||||
+
|
||||
+ /* seccomp can't look into clone3()'s struct clone_args to check whether
|
||||
+ * the flags are OK, so we have no choice but to block clone3().
|
||||
+ * Return ENOSYS so user-space will fall back to clone().
|
||||
+ * (GHSA-67h7-w3jq-vh4q; see also https://github.com/moby/moby/commit/9f6b562d) */
|
||||
+ {SCMP_SYS (clone3), ENOSYS},
|
||||
};
|
||||
|
||||
struct
|
||||
--
|
||||
2.31.1
|
||||
|
||||
|
||||
From 8dd2c81f79e364f485b708e6170a4dbb5c0379d4 Mon Sep 17 00:00:00 2001
|
||||
From: Simon McVittie <smcv@collabora.com>
|
||||
Date: Wed, 1 Sep 2021 12:45:54 +0100
|
||||
Subject: [PATCH 05/11] run: Disallow recently-added mount-manipulation
|
||||
syscalls
|
||||
|
||||
If we don't allow mount() then we shouldn't allow these either.
|
||||
|
||||
Partially fixes GHSA-67h7-w3jq-vh4q.
|
||||
|
||||
Thanks: an anonymous reporter
|
||||
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||
---
|
||||
common/flatpak-run.c | 12 ++++++++++++
|
||||
1 file changed, 12 insertions(+)
|
||||
|
||||
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
|
||||
index 25b3ca40a65a..a06f75690528 100644
|
||||
--- a/common/flatpak-run.c
|
||||
+++ b/common/flatpak-run.c
|
||||
@@ -2677,6 +2677,18 @@ setup_seccomp (FlatpakBwrap *bwrap,
|
||||
* Return ENOSYS so user-space will fall back to clone().
|
||||
* (GHSA-67h7-w3jq-vh4q; see also https://github.com/moby/moby/commit/9f6b562d) */
|
||||
{SCMP_SYS (clone3), ENOSYS},
|
||||
+
|
||||
+ /* New mount manipulation APIs can also change our VFS. There's no
|
||||
+ * legitimate reason to do these in the sandbox, so block all of them
|
||||
+ * rather than thinking about which ones might be dangerous.
|
||||
+ * (GHSA-67h7-w3jq-vh4q) */
|
||||
+ {SCMP_SYS (open_tree), ENOSYS},
|
||||
+ {SCMP_SYS (move_mount), ENOSYS},
|
||||
+ {SCMP_SYS (fsopen), ENOSYS},
|
||||
+ {SCMP_SYS (fsconfig), ENOSYS},
|
||||
+ {SCMP_SYS (fsmount), ENOSYS},
|
||||
+ {SCMP_SYS (fspick), ENOSYS},
|
||||
+ {SCMP_SYS (mount_setattr), ENOSYS},
|
||||
};
|
||||
|
||||
struct
|
||||
--
|
||||
2.31.1
|
||||
|
||||
|
||||
From d448d643d0c5a0b315bbc4eccc605c1afcde8111 Mon Sep 17 00:00:00 2001
|
||||
From: Simon McVittie <smcv@collabora.com>
|
||||
Date: Wed, 1 Sep 2021 14:19:31 +0100
|
||||
Subject: [PATCH 06/11] run: Block setns()
|
||||
|
||||
If we don't allow unshare() or clone() with CLONE_NEWUSER, we also
|
||||
shouldn't allow joining an existing (but different) namespace.
|
||||
|
||||
Partially fixes GHSA-67h7-w3jq-vh4q.
|
||||
|
||||
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||
---
|
||||
common/flatpak-run.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
|
||||
index a06f75690528..09ab8369bcf2 100644
|
||||
--- a/common/flatpak-run.c
|
||||
+++ b/common/flatpak-run.c
|
||||
@@ -2658,6 +2658,7 @@ setup_seccomp (FlatpakBwrap *bwrap,
|
||||
|
||||
/* Don't allow subnamespace setups: */
|
||||
{SCMP_SYS (unshare), EPERM},
|
||||
+ {SCMP_SYS (setns), EPERM},
|
||||
{SCMP_SYS (mount), EPERM},
|
||||
{SCMP_SYS (pivot_root), EPERM},
|
||||
#if defined(__s390__) || defined(__s390x__) || defined(__CRIS__)
|
||||
--
|
||||
2.31.1
|
||||
|
||||
|
||||
From c553d29a6d2402489fe2aab2e1fd7f27ffc0ba89 Mon Sep 17 00:00:00 2001
|
||||
From: Simon McVittie <smcv@collabora.com>
|
||||
Date: Wed, 1 Sep 2021 14:20:29 +0100
|
||||
Subject: [PATCH 07/11] run: Don't allow unmounting filesystems
|
||||
|
||||
If we don't allow mounting filesystems, we shouldn't allow unmounting
|
||||
either.
|
||||
|
||||
Partially fixes GHSA-67h7-w3jq-vh4q.
|
||||
|
||||
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||
---
|
||||
common/flatpak-run.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
|
||||
index 09ab8369bcf2..d298f91804ff 100644
|
||||
--- a/common/flatpak-run.c
|
||||
+++ b/common/flatpak-run.c
|
||||
@@ -2660,6 +2660,8 @@ setup_seccomp (FlatpakBwrap *bwrap,
|
||||
{SCMP_SYS (unshare), EPERM},
|
||||
{SCMP_SYS (setns), EPERM},
|
||||
{SCMP_SYS (mount), EPERM},
|
||||
+ {SCMP_SYS (umount), EPERM},
|
||||
+ {SCMP_SYS (umount2), EPERM},
|
||||
{SCMP_SYS (pivot_root), EPERM},
|
||||
#if defined(__s390__) || defined(__s390x__) || defined(__CRIS__)
|
||||
/* Architectures with CONFIG_CLONE_BACKWARDS2: the child stack
|
||||
--
|
||||
2.31.1
|
||||
|
||||
|
||||
From 0b85038cd1bd2fba41225fa2180ee3cbbde68ee9 Mon Sep 17 00:00:00 2001
|
||||
From: Simon McVittie <smcv@collabora.com>
|
||||
Date: Wed, 1 Sep 2021 14:21:04 +0100
|
||||
Subject: [PATCH 08/11] run: Don't allow chroot()
|
||||
|
||||
If we don't allow pivot_root() then there seems no reason why we should
|
||||
allow chroot().
|
||||
|
||||
Partially fixes GHSA-67h7-w3jq-vh4q.
|
||||
|
||||
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||
---
|
||||
common/flatpak-run.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
|
||||
index d298f91804ff..9b3648065b82 100644
|
||||
--- a/common/flatpak-run.c
|
||||
+++ b/common/flatpak-run.c
|
||||
@@ -2663,6 +2663,7 @@ setup_seccomp (FlatpakBwrap *bwrap,
|
||||
{SCMP_SYS (umount), EPERM},
|
||||
{SCMP_SYS (umount2), EPERM},
|
||||
{SCMP_SYS (pivot_root), EPERM},
|
||||
+ {SCMP_SYS (chroot), EPERM},
|
||||
#if defined(__s390__) || defined(__s390x__) || defined(__CRIS__)
|
||||
/* Architectures with CONFIG_CLONE_BACKWARDS2: the child stack
|
||||
* and flags arguments are reversed so the flags come second */
|
||||
--
|
||||
2.31.1
|
||||
|
||||
|
||||
From f0e2093275199ec6ff023c332f012f42615e9f8f Mon Sep 17 00:00:00 2001
|
||||
From: Simon McVittie <smcv@collabora.com>
|
||||
Date: Fri, 8 Oct 2021 17:05:07 +0100
|
||||
Subject: [PATCH 09/11] run: Handle unknown syscalls as intended
|
||||
|
||||
The error-handling here was
|
||||
|
||||
if (r < 0 && r == -EFAULT)
|
||||
|
||||
but Alex says it was almost certainly intended to be
|
||||
|
||||
if (r < 0 && r != -EFAULT)
|
||||
|
||||
so that syscalls not known to libseccomp are not a fatal error.
|
||||
|
||||
Instead of literally making that change, emit a debug message on -EFAULT
|
||||
so we can see what is going on.
|
||||
|
||||
This temporarily weakens our defence against CVE-2021-41133
|
||||
(GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed
|
||||
version of libseccomp does not know about the recently-added syscalls,
|
||||
but the kernel does, then we will not prevent non-native executables
|
||||
from using those syscalls.
|
||||
|
||||
Resolves: https://github.com/flatpak/flatpak/issues/4458
|
||||
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||
(cherry picked from commit d419fa67038370e4f4c3ce8c3b5f672d4876cfc8)
|
||||
(cherry picked from commit 270701f900c8612cf1fc5e6f5a6e2eb6459708c1)
|
||||
---
|
||||
common/flatpak-run.c | 17 +++++++++++++++--
|
||||
1 file changed, 15 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
|
||||
index 9b3648065b82..04a034f27392 100644
|
||||
--- a/common/flatpak-run.c
|
||||
+++ b/common/flatpak-run.c
|
||||
@@ -2800,7 +2800,16 @@ setup_seccomp (FlatpakBwrap *bwrap,
|
||||
r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 1, *syscall_blocklist[i].arg);
|
||||
else
|
||||
r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0);
|
||||
- if (r < 0 && r == -EFAULT /* unknown syscall */)
|
||||
+
|
||||
+ /* EFAULT means "internal libseccomp error", but in practice we get
|
||||
+ * this for syscall numbers added via flatpak-syscalls-private.h
|
||||
+ * when trying to filter them on a non-native architecture, because
|
||||
+ * libseccomp cannot map the syscall number to a name and back to a
|
||||
+ * number for the non-native architecture. */
|
||||
+ if (r == -EFAULT)
|
||||
+ flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?",
|
||||
+ scall);
|
||||
+ else if (r < 0)
|
||||
return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall);
|
||||
}
|
||||
|
||||
@@ -2818,7 +2827,11 @@ setup_seccomp (FlatpakBwrap *bwrap,
|
||||
else
|
||||
r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0);
|
||||
|
||||
- if (r < 0 && r == -EFAULT /* unknown syscall */)
|
||||
+ /* See above for the meaning of EFAULT. */
|
||||
+ if (errno == EFAULT)
|
||||
+ flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?",
|
||||
+ scall);
|
||||
+ else if (r < 0)
|
||||
return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall);
|
||||
}
|
||||
}
|
||||
--
|
||||
2.31.1
|
||||
|
||||
|
||||
From de504cb72d2978ab67c9aa4bbbd63895128199c2 Mon Sep 17 00:00:00 2001
|
||||
From: Simon McVittie <smcv@collabora.com>
|
||||
Date: Fri, 8 Oct 2021 19:00:13 +0100
|
||||
Subject: [PATCH 10/11] Fix handling of syscalls only allowed by --devel
|
||||
|
||||
This was incorrectly looking at errno instead of -r.
|
||||
|
||||
Fixes: 0b38b0f0 "run: Handle unknown syscalls as intended"
|
||||
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||
(cherry picked from commit 3fc8c672676ae016f8e7cc90481b2feecbad9861)
|
||||
(cherry picked from commit 97e128c2c1520202486b5e165e1734cbb421568a)
|
||||
---
|
||||
common/flatpak-run.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
|
||||
index 04a034f27392..87988b9f7e51 100644
|
||||
--- a/common/flatpak-run.c
|
||||
+++ b/common/flatpak-run.c
|
||||
@@ -2828,7 +2828,7 @@ setup_seccomp (FlatpakBwrap *bwrap,
|
||||
r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0);
|
||||
|
||||
/* See above for the meaning of EFAULT. */
|
||||
- if (errno == EFAULT)
|
||||
+ if (r == -EFAULT)
|
||||
flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?",
|
||||
scall);
|
||||
else if (r < 0)
|
||||
--
|
||||
2.31.1
|
||||
|
||||
|
||||
From 81492b64bbacc3c523e150ad5164f18973852b28 Mon Sep 17 00:00:00 2001
|
||||
From: Simon McVittie <smcv@collabora.com>
|
||||
Date: Fri, 8 Oct 2021 19:06:13 +0100
|
||||
Subject: [PATCH 11/11] run: Improve error handling/diagnostics for calls into
|
||||
libseccomp
|
||||
|
||||
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
||||
(cherry picked from commit 53bde36585b88a2b96bf896ed79b40ccb6a72c54)
|
||||
(cherry picked from commit bd2c58fc27fa5e31029339dbce8eea10717015f3)
|
||||
---
|
||||
common/flatpak-run.c | 46 ++++++++++++++++++++++++++++++++++++++------
|
||||
1 file changed, 40 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
|
||||
index 87988b9f7e51..c72b0cd96598 100644
|
||||
--- a/common/flatpak-run.c
|
||||
+++ b/common/flatpak-run.c
|
||||
@@ -2572,6 +2572,38 @@ static const uint32_t seccomp_x86_64_extra_arches[] = { SCMP_ARCH_X86, 0, };
|
||||
static const uint32_t seccomp_aarch64_extra_arches[] = { SCMP_ARCH_ARM, 0 };
|
||||
#endif
|
||||
|
||||
+/*
|
||||
+ * @negative_errno: Result code as returned by libseccomp functions
|
||||
+ *
|
||||
+ * Translate a libseccomp error code into an error message. libseccomp
|
||||
+ * mostly returns negative `errno` values such as `-ENOMEM`, but some
|
||||
+ * standard `errno` values are used for non-standard purposes where their
|
||||
+ * `strerror()` would be misleading.
|
||||
+ *
|
||||
+ * Returns: a string version of @negative_errno if possible
|
||||
+ */
|
||||
+static const char *
|
||||
+flatpak_seccomp_strerror (int negative_errno)
|
||||
+{
|
||||
+ g_return_val_if_fail (negative_errno < 0, "Non-negative error value from libseccomp?");
|
||||
+ g_return_val_if_fail (negative_errno > INT_MIN, "Out of range error value from libseccomp?");
|
||||
+
|
||||
+ switch (negative_errno)
|
||||
+ {
|
||||
+ case -EDOM:
|
||||
+ return "Architecture specific failure";
|
||||
+
|
||||
+ case -EFAULT:
|
||||
+ return "Internal libseccomp failure (unknown syscall?)";
|
||||
+
|
||||
+ case -ECANCELED:
|
||||
+ return "System failure beyond the control of libseccomp";
|
||||
+ }
|
||||
+
|
||||
+ /* e.g. -ENOMEM: the result of strerror() is good enough */
|
||||
+ return g_strerror (-negative_errno);
|
||||
+}
|
||||
+
|
||||
static inline void
|
||||
cleanup_seccomp (void *p)
|
||||
{
|
||||
@@ -2769,7 +2801,7 @@ setup_seccomp (FlatpakBwrap *bwrap,
|
||||
couldn't continue running. */
|
||||
r = seccomp_arch_add (seccomp, arch_id);
|
||||
if (r < 0 && r != -EEXIST)
|
||||
- return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to add architecture to seccomp filter"));
|
||||
+ return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to add architecture to seccomp filter: %s"), flatpak_seccomp_strerror (r));
|
||||
|
||||
if (multiarch && extra_arches != NULL)
|
||||
{
|
||||
@@ -2778,7 +2810,7 @@ setup_seccomp (FlatpakBwrap *bwrap,
|
||||
{
|
||||
r = seccomp_arch_add (seccomp, extra_arches[i]);
|
||||
if (r < 0 && r != -EEXIST)
|
||||
- return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to add multiarch architecture to seccomp filter"));
|
||||
+ return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to add multiarch architecture to seccomp filter: %s"), flatpak_seccomp_strerror (r));
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -2810,7 +2842,7 @@ setup_seccomp (FlatpakBwrap *bwrap,
|
||||
flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?",
|
||||
scall);
|
||||
else if (r < 0)
|
||||
- return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall);
|
||||
+ return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d: %s"), scall, flatpak_seccomp_strerror (r));
|
||||
}
|
||||
|
||||
if (!devel)
|
||||
@@ -2832,7 +2864,7 @@ setup_seccomp (FlatpakBwrap *bwrap,
|
||||
flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?",
|
||||
scall);
|
||||
else if (r < 0)
|
||||
- return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall);
|
||||
+ return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d: %s"), scall, flatpak_seccomp_strerror (r));
|
||||
}
|
||||
}
|
||||
|
||||
@@ -2862,8 +2894,10 @@ setup_seccomp (FlatpakBwrap *bwrap,
|
||||
if (!glnx_open_anonymous_tmpfile_full (O_RDWR | O_CLOEXEC, "/tmp", &seccomp_tmpf, error))
|
||||
return FALSE;
|
||||
|
||||
- if (seccomp_export_bpf (seccomp, seccomp_tmpf.fd) != 0)
|
||||
- return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to export bpf"));
|
||||
+ r = seccomp_export_bpf (seccomp, seccomp_tmpf.fd);
|
||||
+
|
||||
+ if (r != 0)
|
||||
+ return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to export bpf: %s"), flatpak_seccomp_strerror (r));
|
||||
|
||||
lseek (seccomp_tmpf.fd, 0, SEEK_SET);
|
||||
|
||||
--
|
||||
2.31.1
|
||||
|
@ -3,7 +3,7 @@
|
||||
|
||||
Name: flatpak
|
||||
Version: 1.8.5
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
Summary: Application deployment framework for desktop apps
|
||||
|
||||
License: LGPLv2+
|
||||
@ -13,7 +13,11 @@ Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/
|
||||
Patch0: flatpak-1.8.5-post-cve-fixes.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1938063
|
||||
Patch1: flatpak-1.8.5-fix-CVE-2021-21381.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2012867
|
||||
Patch2: flatpak-1.8.5-fix-CVE-2021-41133.patch
|
||||
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: automake
|
||||
BuildRequires: pkgconfig(appstream-glib)
|
||||
BuildRequires: pkgconfig(dconf)
|
||||
BuildRequires: pkgconfig(fuse)
|
||||
@ -35,8 +39,11 @@ BuildRequires: bubblewrap >= %{bubblewrap_version}
|
||||
BuildRequires: docbook-dtds
|
||||
BuildRequires: docbook-style-xsl
|
||||
BuildRequires: gettext
|
||||
BuildRequires: gettext-devel
|
||||
BuildRequires: gpgme-devel
|
||||
BuildRequires: gtk-doc
|
||||
BuildRequires: libcap-devel
|
||||
BuildRequires: libtool
|
||||
BuildRequires: python3-pyparsing
|
||||
BuildRequires: systemd
|
||||
BuildRequires: /usr/bin/python3
|
||||
@ -125,6 +132,8 @@ This package contains installed tests for %{name}.
|
||||
|
||||
|
||||
%build
|
||||
autoreconf --force --install --verbose
|
||||
|
||||
(if ! test -x configure; then NOCONFIGURE=1 ./autogen.sh; CONFIGFLAGS=--enable-gtk-doc; fi;
|
||||
# Generate consistent IDs between runs to avoid multilib problems.
|
||||
export XMLTO_FLAGS="--stringparam generate.consistent.ids=1"
|
||||
@ -244,6 +253,9 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Tue Oct 26 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.8.5-4
|
||||
- Fix CVE-2021-41133 (#2012867)
|
||||
|
||||
* Mon Mar 22 2021 David King <dking@redhat.com> - 1.8.5-3
|
||||
- Fix CVE-2021-21381 (#1938063)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user