diff --git a/.flatpak.metadata b/.flatpak.metadata index 76bd630..5b443f6 100644 --- a/.flatpak.metadata +++ b/.flatpak.metadata @@ -1 +1 @@ -a3dcd13e85090e9d8156f1db2a375074e459aa79 SOURCES/flatpak-1.8.5.tar.xz +ea9cd44ca1e6cdab1e450a8abc7c5e760194ac25 SOURCES/flatpak-1.8.7.tar.xz diff --git a/.gitignore b/.gitignore index 27b08dc..71e6537 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/flatpak-1.8.5.tar.xz +SOURCES/flatpak-1.8.7.tar.xz diff --git a/SOURCES/flatpak-1.8.5-fix-CVE-2021-21381.patch b/SOURCES/flatpak-1.8.5-fix-CVE-2021-21381.patch deleted file mode 100644 index 0d118f1..0000000 --- a/SOURCES/flatpak-1.8.5-fix-CVE-2021-21381.patch +++ /dev/null @@ -1,86 +0,0 @@ -From cb6fce9e4122ace2960c437def3b1a197bb49b3a Mon Sep 17 00:00:00 2001 -From: Ryan Gonzalez -Date: Tue, 2 Mar 2021 13:20:07 -0600 -Subject: [PATCH 1/3] Disallow @@ and @@u usage in desktop files - -Fixes #4146. ---- - common/flatpak-dir.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c -index e6e4d6fb3..7d3374dad 100644 ---- a/common/flatpak-dir.c -+++ b/common/flatpak-dir.c -@@ -7139,6 +7139,8 @@ export_desktop_file (const char *app, - g_string_append_printf (new_exec, " @@ %s @@", arg); - else if (strcasecmp (arg, "%u") == 0) - g_string_append_printf (new_exec, " @@u %s @@", arg); -+ else if (strcmp (arg, "@@") == 0 || strcmp (arg, "@@u") == 0) -+ g_print (_("Skipping invalid Exec argument %s\n"), arg); - else - g_string_append_printf (new_exec, " %s", arg); - } - -From 0bdcb88b2d0013aa435dc03950fb42cef2cbd359 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Fri, 5 Mar 2021 13:49:36 +0000 -Subject: [PATCH 2/3] dir: Reserve the whole @@ prefix - -If we add new features analogous to file forwarding later, we might -find that we need a different magic token. Let's reserve the whole -@@* namespace so we can call it @@something-else. - -Signed-off-by: Simon McVittie ---- - common/flatpak-dir.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c -index 7d3374dad..facfab37a 100644 ---- a/common/flatpak-dir.c -+++ b/common/flatpak-dir.c -@@ -7139,7 +7139,7 @@ export_desktop_file (const char *app, - g_string_append_printf (new_exec, " @@ %s @@", arg); - else if (strcasecmp (arg, "%u") == 0) - g_string_append_printf (new_exec, " @@u %s @@", arg); -- else if (strcmp (arg, "@@") == 0 || strcmp (arg, "@@u") == 0) -+ else if (g_str_has_prefix (arg, "@@")) - g_print (_("Skipping invalid Exec argument %s\n"), arg); - else - g_string_append_printf (new_exec, " %s", arg); - -From 230f4c3521cd0dffa446ab9b70e958cdd9241bbe Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Fri, 5 Mar 2021 13:51:33 +0000 -Subject: [PATCH 3/3] dir: Refuse to export .desktop files with suspicious uses - of @@ tokens - -This is either a malicious/compromised app trying to do an attack, or -a mistake that will break handling of %f, %u and so on. Either way, -if we refuse to export the .desktop file, resulting in installation -failing, then it makes the rejection more obvious than quietly -removing the magic tokens. - -Signed-off-by: Simon McVittie ---- - common/flatpak-dir.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c -index facfab37a..c5edf346f 100644 ---- a/common/flatpak-dir.c -+++ b/common/flatpak-dir.c -@@ -7140,7 +7140,11 @@ export_desktop_file (const char *app, - else if (strcasecmp (arg, "%u") == 0) - g_string_append_printf (new_exec, " @@u %s @@", arg); - else if (g_str_has_prefix (arg, "@@")) -- g_print (_("Skipping invalid Exec argument %s\n"), arg); -+ { -+ flatpak_fail_error (error, FLATPAK_ERROR_EXPORT_FAILED, -+ _("Invalid Exec argument %s"), arg); -+ goto out; -+ } - else - g_string_append_printf (new_exec, " %s", arg); - } diff --git a/SOURCES/flatpak-1.8.5-fix-CVE-2021-41133.patch b/SOURCES/flatpak-1.8.5-fix-CVE-2021-41133.patch deleted file mode 100644 index 0eb4264..0000000 --- a/SOURCES/flatpak-1.8.5-fix-CVE-2021-41133.patch +++ /dev/null @@ -1,818 +0,0 @@ -From e49dee0f37e0264ecd55b86832955d8b98d0d74d Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Wed, 1 Sep 2021 11:53:23 +0100 -Subject: [PATCH 01/11] run: Add an errno value to seccomp filters - -At the moment, if we block a syscall we always make it fail with EPERM, -but this is risky: user-space libraries can start to use new replacements -for old syscalls at any time, and will often treat EPERM as a fatal error. -For new syscalls, we should make the syscall fail with ENOSYS, which is -indistinguishable from running on an older kernel and will cause fallback -to an older implementation, for example clone3() to clone(). - -In future we should probably move from EPERM to ENOSYS for some of the -syscalls we already block, but for now keep the status quo. - -This is a prerequisite for fixing the vulnerability tracked as -GHSA-67h7-w3jq-vh4q. - -Signed-off-by: Simon McVittie ---- - common/flatpak-run.c | 62 +++++++++++++++++++++++++------------------- - 1 file changed, 36 insertions(+), 26 deletions(-) - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index 3e26710009f9..14212e1f6e55 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -2623,61 +2623,63 @@ setup_seccomp (FlatpakBwrap *bwrap, - struct - { - int scall; -+ int errnum; - struct scmp_arg_cmp *arg; - } syscall_blocklist[] = { - /* Block dmesg */ -- {SCMP_SYS (syslog)}, -+ {SCMP_SYS (syslog), EPERM}, - /* Useless old syscall */ -- {SCMP_SYS (uselib)}, -+ {SCMP_SYS (uselib), EPERM}, - /* Don't allow disabling accounting */ -- {SCMP_SYS (acct)}, -+ {SCMP_SYS (acct), EPERM}, - /* 16-bit code is unnecessary in the sandbox, and modify_ldt is a - historic source of interesting information leaks. */ -- {SCMP_SYS (modify_ldt)}, -+ {SCMP_SYS (modify_ldt), EPERM}, - /* Don't allow reading current quota use */ -- {SCMP_SYS (quotactl)}, -+ {SCMP_SYS (quotactl), EPERM}, - - /* Don't allow access to the kernel keyring */ -- {SCMP_SYS (add_key)}, -- {SCMP_SYS (keyctl)}, -- {SCMP_SYS (request_key)}, -+ {SCMP_SYS (add_key), EPERM}, -+ {SCMP_SYS (keyctl), EPERM}, -+ {SCMP_SYS (request_key), EPERM}, - - /* Scary VM/NUMA ops */ -- {SCMP_SYS (move_pages)}, -- {SCMP_SYS (mbind)}, -- {SCMP_SYS (get_mempolicy)}, -- {SCMP_SYS (set_mempolicy)}, -- {SCMP_SYS (migrate_pages)}, -+ {SCMP_SYS (move_pages), EPERM}, -+ {SCMP_SYS (mbind), EPERM}, -+ {SCMP_SYS (get_mempolicy), EPERM}, -+ {SCMP_SYS (set_mempolicy), EPERM}, -+ {SCMP_SYS (migrate_pages), EPERM}, - - /* Don't allow subnamespace setups: */ -- {SCMP_SYS (unshare)}, -- {SCMP_SYS (mount)}, -- {SCMP_SYS (pivot_root)}, -+ {SCMP_SYS (unshare), EPERM}, -+ {SCMP_SYS (mount), EPERM}, -+ {SCMP_SYS (pivot_root), EPERM}, - #if defined(__s390__) || defined(__s390x__) || defined(__CRIS__) - /* Architectures with CONFIG_CLONE_BACKWARDS2: the child stack - * and flags arguments are reversed so the flags come second */ -- {SCMP_SYS (clone), &SCMP_A1 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)}, -+ {SCMP_SYS (clone), EPERM, &SCMP_A1 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)}, - #else - /* Normally the flags come first */ -- {SCMP_SYS (clone), &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)}, -+ {SCMP_SYS (clone), EPERM, &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)}, - #endif - - /* Don't allow faking input to the controlling tty (CVE-2017-5226) */ -- {SCMP_SYS (ioctl), &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)}, -+ {SCMP_SYS (ioctl), EPERM, &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)}, - }; - - struct - { - int scall; -+ int errnum; - struct scmp_arg_cmp *arg; - } syscall_nondevel_blocklist[] = { - /* Profiling operations; we expect these to be done by tools from outside - * the sandbox. In particular perf has been the source of many CVEs. - */ -- {SCMP_SYS (perf_event_open)}, -+ {SCMP_SYS (perf_event_open), EPERM}, - /* Don't allow you to switch to bsd emulation or whatnot */ -- {SCMP_SYS (personality), &SCMP_A0 (SCMP_CMP_NE, allowed_personality)}, -- {SCMP_SYS (ptrace)} -+ {SCMP_SYS (personality), EPERM, &SCMP_A0 (SCMP_CMP_NE, allowed_personality)}, -+ {SCMP_SYS (ptrace), EPERM} - }; - /* Blocklist all but unix, inet, inet6 and netlink */ - struct -@@ -2762,10 +2764,14 @@ setup_seccomp (FlatpakBwrap *bwrap, - for (i = 0; i < G_N_ELEMENTS (syscall_blocklist); i++) - { - int scall = syscall_blocklist[i].scall; -+ int errnum = syscall_blocklist[i].errnum; -+ -+ g_return_val_if_fail (errnum == EPERM || errnum == ENOSYS, FALSE); -+ - if (syscall_blocklist[i].arg) -- r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (EPERM), scall, 1, *syscall_blocklist[i].arg); -+ r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 1, *syscall_blocklist[i].arg); - else -- r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (EPERM), scall, 0); -+ r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0); - if (r < 0 && r == -EFAULT /* unknown syscall */) - return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall); - } -@@ -2775,10 +2781,14 @@ setup_seccomp (FlatpakBwrap *bwrap, - for (i = 0; i < G_N_ELEMENTS (syscall_nondevel_blocklist); i++) - { - int scall = syscall_nondevel_blocklist[i].scall; -+ int errnum = syscall_nondevel_blocklist[i].errnum; -+ -+ g_return_val_if_fail (errnum == EPERM || errnum == ENOSYS, FALSE); -+ - if (syscall_nondevel_blocklist[i].arg) -- r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (EPERM), scall, 1, *syscall_nondevel_blocklist[i].arg); -+ r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 1, *syscall_nondevel_blocklist[i].arg); - else -- r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (EPERM), scall, 0); -+ r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0); - - if (r < 0 && r == -EFAULT /* unknown syscall */) - return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall); --- -2.31.1 - - -From 0f1fbc35a6c3d17465614427fadaf9866984a297 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Wed, 1 Sep 2021 12:44:04 +0100 -Subject: [PATCH 02/11] run: Add cross-references for some other seccomp - syscall filters - -Signed-off-by: Simon McVittie ---- - common/flatpak-run.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index 14212e1f6e55..d51e535b822f 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -2618,6 +2618,10 @@ setup_seccomp (FlatpakBwrap *bwrap, - * https://git.gnome.org/browse/linux-user-chroot - * in src/setup-seccomp.c - * -+ * Other useful resources: -+ * https://github.com/systemd/systemd/blob/HEAD/src/shared/seccomp-util.c -+ * https://github.com/moby/moby/blob/HEAD/profiles/seccomp/default.json -+ * - **** END NOTE ON CODE SHARING - */ - struct --- -2.31.1 - - -From 5dcb1f731c6dacf85ad5ea61230f049cbf2b3bbf Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Wed, 1 Sep 2021 14:17:04 +0100 -Subject: [PATCH 03/11] common: Add a list of recently-added Linux syscalls - -Historically, syscalls could take arbitrarily-different values on -different architectures, but new syscalls are added with syscall numbers -that align on each architecture. - -Signed-off-by: Simon McVittie ---- - common/Makefile.am.inc | 1 + - common/flatpak-run.c | 2 + - common/flatpak-syscalls-private.h | 197 ++++++++++++++++++++++++++++++ - 3 files changed, 200 insertions(+) - create mode 100644 common/flatpak-syscalls-private.h - -diff --git a/common/Makefile.am.inc b/common/Makefile.am.inc -index 82d85ad78724..599146ab00b9 100644 ---- a/common/Makefile.am.inc -+++ b/common/Makefile.am.inc -@@ -153,6 +153,7 @@ libflatpak_common_la_SOURCES = \ - common/flatpak-remote.c \ - common/flatpak-run-private.h \ - common/flatpak-run.c \ -+ common/flatpak-syscalls-private.h \ - common/flatpak-transaction-private.h \ - common/flatpak-transaction.c \ - common/flatpak-transaction.h \ -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index d51e535b822f..7015b11a07fe 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -41,6 +41,8 @@ - #include - #endif - -+#include "flatpak-syscalls-private.h" -+ - #ifdef ENABLE_SECCOMP - #include - #endif -diff --git a/common/flatpak-syscalls-private.h b/common/flatpak-syscalls-private.h -new file mode 100644 -index 000000000000..04eb38ce3631 ---- /dev/null -+++ b/common/flatpak-syscalls-private.h -@@ -0,0 +1,197 @@ -+/* -+ * Copyright 2021 Collabora Ltd. -+ * SPDX-License-Identifier: LGPL-2.1-or-later -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public -+ * License as published by the Free Software Foundation; either -+ * version 2.1 of the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public -+ * License along with this library. If not, see . -+ */ -+ -+#pragma once -+ -+#include -+ -+#if defined(_MIPS_SIM) -+# if _MIPS_SIM == _MIPS_SIM_ABI32 -+# define FLATPAK_MISSING_SYSCALL_BASE 4000 -+# elif _MIPS_SIM == _MIPS_SIM_ABI64 -+# define FLATPAK_MISSING_SYSCALL_BASE 5000 -+# elif _MIPS_SIM == _MIPS_SIM_NABI32 -+# define FLATPAK_MISSING_SYSCALL_BASE 6000 -+# else -+# error "Unknown MIPS ABI" -+# endif -+#endif -+ -+#if defined(__ia64__) -+# define FLATPAK_MISSING_SYSCALL_BASE 1024 -+#endif -+ -+#if defined(__alpha__) -+# define FLATPAK_MISSING_SYSCALL_BASE 110 -+#endif -+ -+#if defined(__x86_64__) && defined(__ILP32__) -+# define FLATPAK_MISSING_SYSCALL_BASE 0x40000000 -+#endif -+ -+/* -+ * FLATPAK_MISSING_SYSCALL_BASE: -+ * -+ * Number to add to the syscall numbers of recently-added syscalls -+ * to get the appropriate syscall for the current ABI. -+ */ -+#ifndef FLATPAK_MISSING_SYSCALL_BASE -+# define FLATPAK_MISSING_SYSCALL_BASE 0 -+#endif -+ -+#ifndef __NR_open_tree -+# define __NR_open_tree (FLATPAK_MISSING_SYSCALL_BASE + 428) -+#endif -+#ifndef __SNR_open_tree -+# define __SNR_open_tree __NR_open_tree -+#endif -+ -+#ifndef __NR_move_mount -+# define __NR_move_mount (FLATPAK_MISSING_SYSCALL_BASE + 429) -+#endif -+#ifndef __SNR_move_mount -+# define __SNR_move_mount __NR_move_mount -+#endif -+ -+#ifndef __NR_fsopen -+# define __NR_fsopen (FLATPAK_MISSING_SYSCALL_BASE + 430) -+#endif -+#ifndef __SNR_fsopen -+# define __SNR_fsopen __NR_fsopen -+#endif -+ -+#ifndef __NR_fsconfig -+# define __NR_fsconfig (FLATPAK_MISSING_SYSCALL_BASE + 431) -+#endif -+#ifndef __SNR_fsconfig -+# define __SNR_fsconfig __NR_fsconfig -+#endif -+ -+#ifndef __NR_fsmount -+# define __NR_fsmount (FLATPAK_MISSING_SYSCALL_BASE + 432) -+#endif -+#ifndef __SNR_fsmount -+# define __SNR_fsmount __NR_fsmount -+#endif -+ -+#ifndef __NR_fspick -+# define __NR_fspick (FLATPAK_MISSING_SYSCALL_BASE + 433) -+#endif -+#ifndef __SNR_fspick -+# define __SNR_fspick __NR_fspick -+#endif -+ -+#ifndef __NR_pidfd_open -+# define __NR_pidfd_open (FLATPAK_MISSING_SYSCALL_BASE + 434) -+#endif -+#ifndef __SNR_pidfd_open -+# define __SNR_pidfd_open __NR_pidfd_open -+#endif -+ -+#ifndef __NR_clone3 -+# define __NR_clone3 (FLATPAK_MISSING_SYSCALL_BASE + 435) -+#endif -+#ifndef __SNR_clone3 -+# define __SNR_clone3 __NR_clone3 -+#endif -+ -+#ifndef __NR_close_range -+# define __NR_close_range (FLATPAK_MISSING_SYSCALL_BASE + 436) -+#endif -+#ifndef __SNR_close_range -+# define __SNR_close_range __NR_close_range -+#endif -+ -+#ifndef __NR_openat2 -+# define __NR_openat2 (FLATPAK_MISSING_SYSCALL_BASE + 437) -+#endif -+#ifndef __SNR_openat2 -+# define __SNR_openat2 __NR_openat2 -+#endif -+ -+#ifndef __NR_pidfd_getfd -+# define __NR_pidfd_getfd (FLATPAK_MISSING_SYSCALL_BASE + 438) -+#endif -+#ifndef __SNR_pidfd_getfd -+# define __SNR_pidfd_getfd __NR_pidfd_getfd -+#endif -+ -+#ifndef __NR_faccessat2 -+# define __NR_faccessat2 (FLATPAK_MISSING_SYSCALL_BASE + 439) -+#endif -+#ifndef __SNR_faccessat2 -+# define __SNR_faccessat2 __NR_faccessat2 -+#endif -+ -+#ifndef __NR_process_madvise -+# define __NR_process_madvise (FLATPAK_MISSING_SYSCALL_BASE + 440) -+#endif -+#ifndef __SNR_process_madvise -+# define __SNR_process_madvise __NR_process_madvise -+#endif -+ -+#ifndef __NR_epoll_pwait2 -+# define __NR_epoll_pwait2 (FLATPAK_MISSING_SYSCALL_BASE + 441) -+#endif -+#ifndef __SNR_epoll_pwait2 -+# define __SNR_epoll_pwait2 __NR_epoll_pwait2 -+#endif -+ -+#ifndef __NR_mount_setattr -+# define __NR_mount_setattr (FLATPAK_MISSING_SYSCALL_BASE + 442) -+#endif -+#ifndef __SNR_mount_setattr -+# define __SNR_mount_setattr __NR_mount_setattr -+#endif -+ -+#ifndef __NR_quotactl_fd -+# define __NR_quotactl_fd (FLATPAK_MISSING_SYSCALL_BASE + 443) -+#endif -+#ifndef __SNR_quotactl_fd -+# define __SNR_quotactl_fd __NR_quotactl_fd -+#endif -+ -+#ifndef __NR_landlock_create_ruleset -+# define __NR_landlock_create_ruleset (FLATPAK_MISSING_SYSCALL_BASE + 444) -+#endif -+#ifndef __SNR_landlock_create_ruleset -+# define __SNR_landlock_create_ruleset __NR_landlock_create_ruleset -+#endif -+ -+#ifndef __NR_landlock_add_rule -+# define __NR_landlock_add_rule (FLATPAK_MISSING_SYSCALL_BASE + 445) -+#endif -+#ifndef __SNR_landlock_add_rule -+# define __SNR_landlock_add_rule __NR_landlock_add_rule -+#endif -+ -+#ifndef __NR_landlock_restrict_self -+# define __NR_landlock_restrict_self (FLATPAK_MISSING_SYSCALL_BASE + 446) -+#endif -+#ifndef __SNR_landlock_restrict_self -+# define __SNR_landlock_restrict_self __NR_landlock_restrict_self -+#endif -+ -+#ifndef __NR_memfd_secret -+# define __NR_memfd_secret (FLATPAK_MISSING_SYSCALL_BASE + 447) -+#endif -+#ifndef __SNR_memfd_secret -+# define __SNR_memfd_secret __NR_memfd_secret -+#endif -+ -+/* Last updated: Linux 5.14, syscall numbers < 448 */ --- -2.31.1 - - -From 2965b7fa2de4ff13b712dd6ffa7e77bfb431530c Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Wed, 1 Sep 2021 11:59:00 +0100 -Subject: [PATCH 04/11] run: Block clone3() in sandbox - -clone3() can be used to implement clone() with CLONE_NEWUSER, allowing -a sandboxed process to get CAP_SYS_ADMIN in a new namespace and -manipulate its root directory. We need to block this so that AF_UNIX-based -socket servers (X11, Wayland, etc.) can rely on -/proc/PID/root/.flatpak-info existing for all Flatpak-sandboxed apps. - -Partially fixes GHSA-67h7-w3jq-vh4q. - -Thanks: an anonymous reporter -Signed-off-by: Simon McVittie ---- - common/flatpak-run.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index 7015b11a07fe..25b3ca40a65a 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -2671,6 +2671,12 @@ setup_seccomp (FlatpakBwrap *bwrap, - - /* Don't allow faking input to the controlling tty (CVE-2017-5226) */ - {SCMP_SYS (ioctl), EPERM, &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)}, -+ -+ /* seccomp can't look into clone3()'s struct clone_args to check whether -+ * the flags are OK, so we have no choice but to block clone3(). -+ * Return ENOSYS so user-space will fall back to clone(). -+ * (GHSA-67h7-w3jq-vh4q; see also https://github.com/moby/moby/commit/9f6b562d) */ -+ {SCMP_SYS (clone3), ENOSYS}, - }; - - struct --- -2.31.1 - - -From 8dd2c81f79e364f485b708e6170a4dbb5c0379d4 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Wed, 1 Sep 2021 12:45:54 +0100 -Subject: [PATCH 05/11] run: Disallow recently-added mount-manipulation - syscalls - -If we don't allow mount() then we shouldn't allow these either. - -Partially fixes GHSA-67h7-w3jq-vh4q. - -Thanks: an anonymous reporter -Signed-off-by: Simon McVittie ---- - common/flatpak-run.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index 25b3ca40a65a..a06f75690528 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -2677,6 +2677,18 @@ setup_seccomp (FlatpakBwrap *bwrap, - * Return ENOSYS so user-space will fall back to clone(). - * (GHSA-67h7-w3jq-vh4q; see also https://github.com/moby/moby/commit/9f6b562d) */ - {SCMP_SYS (clone3), ENOSYS}, -+ -+ /* New mount manipulation APIs can also change our VFS. There's no -+ * legitimate reason to do these in the sandbox, so block all of them -+ * rather than thinking about which ones might be dangerous. -+ * (GHSA-67h7-w3jq-vh4q) */ -+ {SCMP_SYS (open_tree), ENOSYS}, -+ {SCMP_SYS (move_mount), ENOSYS}, -+ {SCMP_SYS (fsopen), ENOSYS}, -+ {SCMP_SYS (fsconfig), ENOSYS}, -+ {SCMP_SYS (fsmount), ENOSYS}, -+ {SCMP_SYS (fspick), ENOSYS}, -+ {SCMP_SYS (mount_setattr), ENOSYS}, - }; - - struct --- -2.31.1 - - -From d448d643d0c5a0b315bbc4eccc605c1afcde8111 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Wed, 1 Sep 2021 14:19:31 +0100 -Subject: [PATCH 06/11] run: Block setns() - -If we don't allow unshare() or clone() with CLONE_NEWUSER, we also -shouldn't allow joining an existing (but different) namespace. - -Partially fixes GHSA-67h7-w3jq-vh4q. - -Signed-off-by: Simon McVittie ---- - common/flatpak-run.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index a06f75690528..09ab8369bcf2 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -2658,6 +2658,7 @@ setup_seccomp (FlatpakBwrap *bwrap, - - /* Don't allow subnamespace setups: */ - {SCMP_SYS (unshare), EPERM}, -+ {SCMP_SYS (setns), EPERM}, - {SCMP_SYS (mount), EPERM}, - {SCMP_SYS (pivot_root), EPERM}, - #if defined(__s390__) || defined(__s390x__) || defined(__CRIS__) --- -2.31.1 - - -From c553d29a6d2402489fe2aab2e1fd7f27ffc0ba89 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Wed, 1 Sep 2021 14:20:29 +0100 -Subject: [PATCH 07/11] run: Don't allow unmounting filesystems - -If we don't allow mounting filesystems, we shouldn't allow unmounting -either. - -Partially fixes GHSA-67h7-w3jq-vh4q. - -Signed-off-by: Simon McVittie ---- - common/flatpak-run.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index 09ab8369bcf2..d298f91804ff 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -2660,6 +2660,8 @@ setup_seccomp (FlatpakBwrap *bwrap, - {SCMP_SYS (unshare), EPERM}, - {SCMP_SYS (setns), EPERM}, - {SCMP_SYS (mount), EPERM}, -+ {SCMP_SYS (umount), EPERM}, -+ {SCMP_SYS (umount2), EPERM}, - {SCMP_SYS (pivot_root), EPERM}, - #if defined(__s390__) || defined(__s390x__) || defined(__CRIS__) - /* Architectures with CONFIG_CLONE_BACKWARDS2: the child stack --- -2.31.1 - - -From 0b85038cd1bd2fba41225fa2180ee3cbbde68ee9 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Wed, 1 Sep 2021 14:21:04 +0100 -Subject: [PATCH 08/11] run: Don't allow chroot() - -If we don't allow pivot_root() then there seems no reason why we should -allow chroot(). - -Partially fixes GHSA-67h7-w3jq-vh4q. - -Signed-off-by: Simon McVittie ---- - common/flatpak-run.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index d298f91804ff..9b3648065b82 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -2663,6 +2663,7 @@ setup_seccomp (FlatpakBwrap *bwrap, - {SCMP_SYS (umount), EPERM}, - {SCMP_SYS (umount2), EPERM}, - {SCMP_SYS (pivot_root), EPERM}, -+ {SCMP_SYS (chroot), EPERM}, - #if defined(__s390__) || defined(__s390x__) || defined(__CRIS__) - /* Architectures with CONFIG_CLONE_BACKWARDS2: the child stack - * and flags arguments are reversed so the flags come second */ --- -2.31.1 - - -From f0e2093275199ec6ff023c332f012f42615e9f8f Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Fri, 8 Oct 2021 17:05:07 +0100 -Subject: [PATCH 09/11] run: Handle unknown syscalls as intended - -The error-handling here was - - if (r < 0 && r == -EFAULT) - -but Alex says it was almost certainly intended to be - - if (r < 0 && r != -EFAULT) - -so that syscalls not known to libseccomp are not a fatal error. - -Instead of literally making that change, emit a debug message on -EFAULT -so we can see what is going on. - -This temporarily weakens our defence against CVE-2021-41133 -(GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed -version of libseccomp does not know about the recently-added syscalls, -but the kernel does, then we will not prevent non-native executables -from using those syscalls. - -Resolves: https://github.com/flatpak/flatpak/issues/4458 -Signed-off-by: Simon McVittie -(cherry picked from commit d419fa67038370e4f4c3ce8c3b5f672d4876cfc8) -(cherry picked from commit 270701f900c8612cf1fc5e6f5a6e2eb6459708c1) ---- - common/flatpak-run.c | 17 +++++++++++++++-- - 1 file changed, 15 insertions(+), 2 deletions(-) - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index 9b3648065b82..04a034f27392 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -2800,7 +2800,16 @@ setup_seccomp (FlatpakBwrap *bwrap, - r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 1, *syscall_blocklist[i].arg); - else - r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0); -- if (r < 0 && r == -EFAULT /* unknown syscall */) -+ -+ /* EFAULT means "internal libseccomp error", but in practice we get -+ * this for syscall numbers added via flatpak-syscalls-private.h -+ * when trying to filter them on a non-native architecture, because -+ * libseccomp cannot map the syscall number to a name and back to a -+ * number for the non-native architecture. */ -+ if (r == -EFAULT) -+ flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?", -+ scall); -+ else if (r < 0) - return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall); - } - -@@ -2818,7 +2827,11 @@ setup_seccomp (FlatpakBwrap *bwrap, - else - r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0); - -- if (r < 0 && r == -EFAULT /* unknown syscall */) -+ /* See above for the meaning of EFAULT. */ -+ if (errno == EFAULT) -+ flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?", -+ scall); -+ else if (r < 0) - return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall); - } - } --- -2.31.1 - - -From de504cb72d2978ab67c9aa4bbbd63895128199c2 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Fri, 8 Oct 2021 19:00:13 +0100 -Subject: [PATCH 10/11] Fix handling of syscalls only allowed by --devel - -This was incorrectly looking at errno instead of -r. - -Fixes: 0b38b0f0 "run: Handle unknown syscalls as intended" -Signed-off-by: Simon McVittie -(cherry picked from commit 3fc8c672676ae016f8e7cc90481b2feecbad9861) -(cherry picked from commit 97e128c2c1520202486b5e165e1734cbb421568a) ---- - common/flatpak-run.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index 04a034f27392..87988b9f7e51 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -2828,7 +2828,7 @@ setup_seccomp (FlatpakBwrap *bwrap, - r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0); - - /* See above for the meaning of EFAULT. */ -- if (errno == EFAULT) -+ if (r == -EFAULT) - flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?", - scall); - else if (r < 0) --- -2.31.1 - - -From 81492b64bbacc3c523e150ad5164f18973852b28 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Fri, 8 Oct 2021 19:06:13 +0100 -Subject: [PATCH 11/11] run: Improve error handling/diagnostics for calls into - libseccomp - -Signed-off-by: Simon McVittie -(cherry picked from commit 53bde36585b88a2b96bf896ed79b40ccb6a72c54) -(cherry picked from commit bd2c58fc27fa5e31029339dbce8eea10717015f3) ---- - common/flatpak-run.c | 46 ++++++++++++++++++++++++++++++++++++++------ - 1 file changed, 40 insertions(+), 6 deletions(-) - -diff --git a/common/flatpak-run.c b/common/flatpak-run.c -index 87988b9f7e51..c72b0cd96598 100644 ---- a/common/flatpak-run.c -+++ b/common/flatpak-run.c -@@ -2572,6 +2572,38 @@ static const uint32_t seccomp_x86_64_extra_arches[] = { SCMP_ARCH_X86, 0, }; - static const uint32_t seccomp_aarch64_extra_arches[] = { SCMP_ARCH_ARM, 0 }; - #endif - -+/* -+ * @negative_errno: Result code as returned by libseccomp functions -+ * -+ * Translate a libseccomp error code into an error message. libseccomp -+ * mostly returns negative `errno` values such as `-ENOMEM`, but some -+ * standard `errno` values are used for non-standard purposes where their -+ * `strerror()` would be misleading. -+ * -+ * Returns: a string version of @negative_errno if possible -+ */ -+static const char * -+flatpak_seccomp_strerror (int negative_errno) -+{ -+ g_return_val_if_fail (negative_errno < 0, "Non-negative error value from libseccomp?"); -+ g_return_val_if_fail (negative_errno > INT_MIN, "Out of range error value from libseccomp?"); -+ -+ switch (negative_errno) -+ { -+ case -EDOM: -+ return "Architecture specific failure"; -+ -+ case -EFAULT: -+ return "Internal libseccomp failure (unknown syscall?)"; -+ -+ case -ECANCELED: -+ return "System failure beyond the control of libseccomp"; -+ } -+ -+ /* e.g. -ENOMEM: the result of strerror() is good enough */ -+ return g_strerror (-negative_errno); -+} -+ - static inline void - cleanup_seccomp (void *p) - { -@@ -2769,7 +2801,7 @@ setup_seccomp (FlatpakBwrap *bwrap, - couldn't continue running. */ - r = seccomp_arch_add (seccomp, arch_id); - if (r < 0 && r != -EEXIST) -- return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to add architecture to seccomp filter")); -+ return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to add architecture to seccomp filter: %s"), flatpak_seccomp_strerror (r)); - - if (multiarch && extra_arches != NULL) - { -@@ -2778,7 +2810,7 @@ setup_seccomp (FlatpakBwrap *bwrap, - { - r = seccomp_arch_add (seccomp, extra_arches[i]); - if (r < 0 && r != -EEXIST) -- return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to add multiarch architecture to seccomp filter")); -+ return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to add multiarch architecture to seccomp filter: %s"), flatpak_seccomp_strerror (r)); - } - } - } -@@ -2810,7 +2842,7 @@ setup_seccomp (FlatpakBwrap *bwrap, - flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?", - scall); - else if (r < 0) -- return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall); -+ return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d: %s"), scall, flatpak_seccomp_strerror (r)); - } - - if (!devel) -@@ -2832,7 +2864,7 @@ setup_seccomp (FlatpakBwrap *bwrap, - flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?", - scall); - else if (r < 0) -- return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall); -+ return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d: %s"), scall, flatpak_seccomp_strerror (r)); - } - } - -@@ -2862,8 +2894,10 @@ setup_seccomp (FlatpakBwrap *bwrap, - if (!glnx_open_anonymous_tmpfile_full (O_RDWR | O_CLOEXEC, "/tmp", &seccomp_tmpf, error)) - return FALSE; - -- if (seccomp_export_bpf (seccomp, seccomp_tmpf.fd) != 0) -- return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to export bpf")); -+ r = seccomp_export_bpf (seccomp, seccomp_tmpf.fd); -+ -+ if (r != 0) -+ return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to export bpf: %s"), flatpak_seccomp_strerror (r)); - - lseek (seccomp_tmpf.fd, 0, SEEK_SET); - --- -2.31.1 - diff --git a/SOURCES/flatpak-1.8.5-post-cve-fixes.patch b/SOURCES/flatpak-1.8.5-post-cve-fixes.patch deleted file mode 100644 index a5ee71c..0000000 --- a/SOURCES/flatpak-1.8.5-post-cve-fixes.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 93ecea3488081a726bcd2ddb04d557decaa87f80 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Mon, 18 Jan 2021 17:52:13 +0000 -Subject: [PATCH] build: Convert environment into a sequence of bwrap arguments - -This means we can systematically pass the environment variables -through bwrap(1), even if it is setuid and thus is filtering out -security-sensitive environment variables. bwrap itself ends up being -run with an empty environment instead. - -This fixes a regression when CVE-2021-21261 was fixed: before the -CVE fixes, LD_LIBRARY_PATH would have been passed through like this -and appeared in the `flatpak build` shell, but during the CVE fixes, -the special case that protected LD_LIBRARY_PATH was removed in favour -of the more general flatpak_bwrap_envp_to_args(). That reasoning only -works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere -that we run the potentially-setuid bwrap. - -Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments" -Resolves: https://github.com/flatpak/flatpak/issues/4080 -Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323 -Signed-off-by: Simon McVittie -(cherry picked from commit 9a61d2c44f0a58cebcb9b2787ae88db07ca68bb0) ---- - app/flatpak-builtins-build.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c -index 8da0de814..07ef6fc07 100644 ---- a/app/flatpak-builtins-build.c -+++ b/app/flatpak-builtins-build.c -@@ -569,6 +569,8 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError - NULL); - } - -+ flatpak_bwrap_envp_to_args (bwrap); -+ - if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error)) - return FALSE; - -From f91857c07ede7ef5150a38d6b8e49ee43d6b3d50 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Mon, 18 Jan 2021 18:07:38 +0000 -Subject: [PATCH] dir: Pass environment via bwrap --setenv when running - apply_extra - -This means we can systematically pass the environment variables -through bwrap(1), even if it is setuid and thus is filtering out -security-sensitive environment variables. bwrap ends up being -run with an empty environment instead. - -As with the previous commit, this regressed while fixing CVE-2021-21261. - -Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments" -Signed-off-by: Simon McVittie -(cherry picked from commit fb473cad801c6b61706353256cab32330557374a) ---- - common/flatpak-dir.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c -index ed1248e74..40767fa77 100644 ---- a/common/flatpak-dir.c -+++ b/common/flatpak-dir.c -@@ -7426,6 +7426,8 @@ apply_extra_data (FlatpakDir *self, - app_context, NULL, NULL, NULL, cancellable, error)) - return FALSE; - -+ flatpak_bwrap_envp_to_args (bwrap); -+ - flatpak_bwrap_add_arg (bwrap, "/app/bin/apply_extra"); - - flatpak_bwrap_finish (bwrap); diff --git a/SPECS/flatpak.spec b/SPECS/flatpak.spec index c08d102..a9c988c 100644 --- a/SPECS/flatpak.spec +++ b/SPECS/flatpak.spec @@ -2,19 +2,13 @@ %global ostree_version 2018.9 Name: flatpak -Version: 1.8.5 -Release: 5%{?dist} +Version: 1.8.7 +Release: 1%{?dist} Summary: Application deployment framework for desktop apps License: LGPLv2+ URL: http://flatpak.org/ Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz -# https://bugzilla.redhat.com/show_bug.cgi?id=1918776 -Patch0: flatpak-1.8.5-post-cve-fixes.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1938064 -Patch1: flatpak-1.8.5-fix-CVE-2021-21381.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2012868 -Patch2: flatpak-1.8.5-fix-CVE-2021-41133.patch BuildRequires: autoconf BuildRequires: automake @@ -253,8 +247,17 @@ fi %changelog -* Tue Oct 26 2021 Debarshi Ray - 1.8.5-5 -- Fix CVE-2021-41133 (#2012868) +* Thu Feb 03 2022 Debarshi Ray - 1.8.7-1 +- Rebase to 1.8.7 (#2041972) + +* Tue Jan 25 2022 Debarshi Ray - 1.8.6-1 +- Rebase to 1.8.6 (#2010533) + +* Tue Oct 26 2021 Debarshi Ray - 1.8.5-6 +- Fix CVE-2021-41133 (#2012869) + +* Tue Oct 05 2021 Debarshi Ray - 1.8.5-5 +- Disable gvfs plugins when listing flatpak installations (#1980438) * Wed Jul 28 2021 Tomas Popela - 1.8.5-4 - Ship flatpak-devel in CRB (#1938064)