Compare commits

...

No commits in common. "imports/c8s/flatpak-1.8.5-6.el8" and "c8" have entirely different histories.

9 changed files with 443 additions and 1034 deletions

View File

@ -1 +1 @@
a3dcd13e85090e9d8156f1db2a375074e459aa79 SOURCES/flatpak-1.8.5.tar.xz 41429400eab33868b6c6045fe235e86e1086a056 SOURCES/flatpak-1.12.9.tar.xz

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/flatpak-1.8.5.tar.xz SOURCES/flatpak-1.12.9.tar.xz

View File

@ -0,0 +1,330 @@
From 8451fa0ae30397b83705a193aa0d3f7752486dda Mon Sep 17 00:00:00 2001
From: Alexander Larsson <alexl@redhat.com>
Date: Mon, 3 Jun 2024 12:22:30 +0200
Subject: [PATCH 1/4] Don't follow symlinks when mounting persisted directories
These directories are in a location under application control, so we
can't trust them to not be a symlink outside of the files accessibe to
the application.
Continue to treat --persist=/foo as --persist=foo for backwards compat,
since this is how it (accidentally) worked before, but print a warning.
Don't allow ".." elements in persist paths: these would not be useful
anyway, and are unlikely to be in use, however they could potentially
be used to confuse the persist path handling.
This partially addresses CVE-2024-42472. If only one instance of the
malicious or compromised app is run at a time, the vulnerability
is avoided. If two instances can run concurrently, there is a
time-of-check/time-of-use issue remaining, which can only be resolved
with changes to bubblewrap; this will be resolved in a separate commit,
because the bubblewrap dependency might be more difficult to provide in
LTS distributions.
Helps: CVE-2024-42472, GHSA-7hgv-f2j8-xw87
[smcv: Make whitespace consistent]
[smcv: Use g_warning() if unable to create --persist paths]
[smcv: Use stat() to detect symlinks and warn about them]
[smcv: Use glnx_steal_fd() for portability to older GLib]
Co-authored-by: Simon McVittie <smcv@collabora.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
common/flatpak-context.c | 108 +++++++++++++++++++++++++++++++++++++--
1 file changed, 105 insertions(+), 3 deletions(-)
diff --git a/common/flatpak-context.c b/common/flatpak-context.c
index 53b79807..8c784acf 100644
--- a/common/flatpak-context.c
+++ b/common/flatpak-context.c
@@ -2686,6 +2686,90 @@ flatpak_context_get_exports_full (FlatpakContext *context,
return g_steal_pointer (&exports);
}
+/* This creates zero or more directories unders base_fd+basedir, each
+ * being guaranteed to either exist and be a directory (no symlinks)
+ * or be created as a directory. The last directory is opened
+ * and the fd is returned.
+ */
+static gboolean
+mkdir_p_open_nofollow_at (int base_fd,
+ const char *basedir,
+ int mode,
+ const char *subdir,
+ int *out_fd,
+ GError **error)
+{
+ glnx_autofd int parent_fd = -1;
+
+ if (g_path_is_absolute (subdir))
+ {
+ const char *skipped_prefix = subdir;
+
+ while (*skipped_prefix == '/')
+ skipped_prefix++;
+
+ g_warning ("--persist=\"%s\" is deprecated, treating it as --persist=\"%s\"", subdir, skipped_prefix);
+ subdir = skipped_prefix;
+ }
+
+ g_autofree char *subdir_dirname = g_path_get_dirname (subdir);
+
+ if (strcmp (subdir_dirname, ".") == 0)
+ {
+ /* It is ok to open basedir with follow=true */
+ if (!glnx_opendirat (base_fd, basedir, TRUE, &parent_fd, error))
+ return FALSE;
+ }
+ else if (strcmp (subdir_dirname, "..") == 0)
+ {
+ return glnx_throw (error, "'..' not supported in --persist paths");
+ }
+ else
+ {
+ if (!mkdir_p_open_nofollow_at (base_fd, basedir, mode,
+ subdir_dirname, &parent_fd, error))
+ return FALSE;
+ }
+
+ g_autofree char *subdir_basename = g_path_get_basename (subdir);
+
+ if (strcmp (subdir_basename, ".") == 0)
+ {
+ *out_fd = glnx_steal_fd (&parent_fd);
+ return TRUE;
+ }
+ else if (strcmp (subdir_basename, "..") == 0)
+ {
+ return glnx_throw (error, "'..' not supported in --persist paths");
+ }
+
+ if (!glnx_shutil_mkdir_p_at (parent_fd, subdir_basename, mode, NULL, error))
+ return FALSE;
+
+ int fd = openat (parent_fd, subdir_basename, O_PATH | O_NONBLOCK | O_DIRECTORY | O_CLOEXEC | O_NOCTTY | O_NOFOLLOW);
+ if (fd == -1)
+ {
+ int saved_errno = errno;
+ struct stat stat_buf;
+
+ /* If it's a symbolic link, that could be a user trying to offload
+ * large data to another filesystem, but it could equally well be
+ * a malicious or compromised app trying to exploit GHSA-7hgv-f2j8-xw87.
+ * Produce a clearer error message in this case.
+ * Unfortunately the errno we get in this case is ENOTDIR, so we have
+ * to ask again to find out whether it's really a symlink. */
+ if (saved_errno == ENOTDIR &&
+ fstatat (parent_fd, subdir_basename, &stat_buf, AT_SYMLINK_NOFOLLOW) == 0 &&
+ S_ISLNK (stat_buf.st_mode))
+ return glnx_throw (error, "Symbolic link \"%s\" not allowed to avoid sandbox escape", subdir_basename);
+
+ return glnx_throw_errno_prefix (error, "openat(%s)", subdir_basename);
+ }
+
+ *out_fd = fd;
+ return TRUE;
+}
+
void
flatpak_context_append_bwrap_filesystem (FlatpakContext *context,
FlatpakBwrap *bwrap,
@@ -2709,12 +2793,30 @@ flatpak_context_append_bwrap_filesystem (FlatpakContext *context,
while (g_hash_table_iter_next (&iter, &key, NULL))
{
const char *persist = key;
- g_autofree char *src = g_build_filename (g_get_home_dir (), ".var/app", app_id, persist, NULL);
+ g_autofree char *appdir = g_build_filename (g_get_home_dir (), ".var/app", app_id, NULL);
g_autofree char *dest = g_build_filename (g_get_home_dir (), persist, NULL);
+ g_autoptr(GError) local_error = NULL;
+
+ if (g_mkdir_with_parents (appdir, 0755) != 0)
+ {
+ g_warning ("Unable to create directory %s", appdir);
+ continue;
+ }
+
+ /* Don't follow symlinks from the persist directory, as it is under user control */
+ glnx_autofd int src_fd = -1;
+ if (!mkdir_p_open_nofollow_at (AT_FDCWD, appdir, 0755,
+ persist, &src_fd,
+ &local_error))
+ {
+ g_warning ("Failed to create persist path %s: %s", persist, local_error->message);
+ continue;
+ }
- g_mkdir_with_parents (src, 0755);
+ g_autofree char *src_via_proc = g_strdup_printf ("/proc/self/fd/%d", src_fd);
- flatpak_bwrap_add_bind_arg (bwrap, "--bind", src, dest);
+ flatpak_bwrap_add_fd (bwrap, glnx_steal_fd (&src_fd));
+ flatpak_bwrap_add_bind_arg (bwrap, "--bind", src_via_proc, dest);
}
}
--
2.46.0
From 5462c9b1e1a34b1104c8a0843a10382e90c9bb6b Mon Sep 17 00:00:00 2001
From: Alexander Larsson <alexl@redhat.com>
Date: Mon, 3 Jun 2024 12:59:05 +0200
Subject: [PATCH 2/4] Add test coverage for --persist
This adds three "positive" tests: the common case --persist=.persist, the
deprecated spelling --persist=/.persist, and the less common special case
--persist=. as used by Steam.
It also adds "negative" tests for CVE-2024-42472: if the --persist
directory is a symbolic link or contains path segment "..", we want that
to be rejected.
Reproduces: CVE-2024-42472, GHSA-7hgv-f2j8-xw87
[smcv: Add "positive" tests]
[smcv: Exercise --persist=..]
[smcv: Assert that --persist with a symlink produces expected message]
Co-authored-by: Simon McVittie <smcv@collabora.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
tests/test-run.sh | 41 ++++++++++++++++++++++++++++++++++++++++-
1 file changed, 40 insertions(+), 1 deletion(-)
diff --git a/tests/test-run.sh b/tests/test-run.sh
index dd371df3..bca0845d 100644
--- a/tests/test-run.sh
+++ b/tests/test-run.sh
@@ -24,7 +24,7 @@ set -euo pipefail
skip_without_bwrap
skip_revokefs_without_fuse
-echo "1..20"
+echo "1..21"
# Use stable rather than master as the branch so we can test that the run
# command automatically finds the branch correctly
@@ -512,3 +512,42 @@ ${FLATPAK} ${U} info -m org.test.App > out
assert_file_has_content out "^sdk=org\.test\.Sdk/$(flatpak --default-arch)/stable$"
ok "--sdk option"
+
+rm -fr "$HOME/.var/app/org.test.Hello"
+mkdir -p "$HOME/.var/app/org.test.Hello"
+run --command=sh --persist=.persist org.test.Hello -c 'echo can-persist > .persist/rc'
+sed -e 's,^,#--persist=.persist# ,g' < "$HOME/.var/app/org.test.Hello/.persist/rc" >&2
+assert_file_has_content "$HOME/.var/app/org.test.Hello/.persist/rc" "can-persist"
+
+ok "--persist=.persist persists a directory"
+
+rm -fr "$HOME/.var/app/org.test.Hello"
+mkdir -p "$HOME/.var/app/org.test.Hello"
+# G_DEBUG= to avoid the deprecation warning being fatal
+G_DEBUG= run --command=sh --persist=/.persist org.test.Hello -c 'echo can-persist > .persist/rc'
+sed -e 's,^,#--persist=/.persist# ,g' < "$HOME/.var/app/org.test.Hello/.persist/rc" >&2
+assert_file_has_content "$HOME/.var/app/org.test.Hello/.persist/rc" "can-persist"
+
+ok "--persist=/.persist is a deprecated form of --persist=.persist"
+
+rm -fr "$HOME/.var/app/org.test.Hello"
+mkdir -p "$HOME/.var/app/org.test.Hello"
+run --command=sh --persist=. org.test.Hello -c 'echo can-persist > .persistrc'
+sed -e 's,^,#--persist=.# ,g' < "$HOME/.var/app/org.test.Hello/.persistrc" >&2
+assert_file_has_content "$HOME/.var/app/org.test.Hello/.persistrc" "can-persist"
+
+ok "--persist=. persists all files"
+
+mkdir "${TEST_DATA_DIR}/inaccessible"
+echo FOO > ${TEST_DATA_DIR}/inaccessible/secret-file
+rm -fr "$HOME/.var/app/org.test.Hello"
+mkdir -p "$HOME/.var/app/org.test.Hello"
+ln -fns "${TEST_DATA_DIR}/inaccessible" "$HOME/.var/app/org.test.Hello/persist"
+# G_DEBUG= to avoid the warnings being fatal when we reject a --persist option.
+# LC_ALL=C so we get the expected non-localized string.
+LC_ALL=C G_DEBUG= run --command=ls --persist=persist --persist=relative/../escape org.test.Hello -la ~/persist &> hello_out || true
+sed -e 's,^,#--persist=symlink# ,g' < hello_out >&2
+assert_file_has_content hello_out "not allowed to avoid sandbox escape"
+assert_not_file_has_content hello_out "secret-file"
+
+ok "--persist doesn't allow sandbox escape via a symlink (CVE-2024-42472)"
--
2.46.0
From 04d8ad3009cd8a4350fba6cf7cc6c7819ccdfd34 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Mon, 12 Aug 2024 19:48:18 +0100
Subject: [PATCH 3/4] build: Require a version of bubblewrap with the --bind-fd
option
We need this for the --bind-fd option, which will close a race
condition in our solution to CVE-2024-42472.
For this stable branch, check the --help output for a --bind-fd option
instead of requiring a specific version number, to accommodate possible
backports in LTS distributions.
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
configure.ac | 3 +++
1 file changed, 3 insertions(+)
diff --git a/configure.ac b/configure.ac
index 0a44e11a..0c8e2d0e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -175,6 +175,9 @@ if test "x$BWRAP" != xfalse; then
BWRAP_VERSION=`$BWRAP --version | sed 's,.*\ \([0-9]*\.[0-9]*\.[0-9]*\)$,\1,'`
AX_COMPARE_VERSION([$SYSTEM_BWRAP_REQS],[gt],[$BWRAP_VERSION],
[AC_MSG_ERROR([You need at least version $SYSTEM_BWRAP_REQS of bubblewrap to use the system installed version])])
+ AS_IF([$BWRAP --help | grep '@<:@-@:>@-bind-fd' >/dev/null],
+ [:],
+ [AC_MSG_ERROR([$BWRAP does not list required option --bind-fd in its --help])])
AM_CONDITIONAL([WITH_SYSTEM_BWRAP], [true])
else
AC_CHECK_LIB(cap, cap_from_text, CAP_LIB=-lcap)
--
2.46.0
From 2772f19e50c0e809dde8cf3c105d90ee8baf4fa8 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Wed, 14 Aug 2024 13:44:30 +0100
Subject: [PATCH 4/4] persist directories: Pass using new bwrap --bind-fd
option
Instead of passing a /proc/self/fd bind mount we use --bind-fd, which
has two advantages:
* bwrap closes the fd when used, so it doesn't leak into the started app
* bwrap ensures that what was mounted was the passed in fd (same dev/ino),
as there is a small (required) gap between symlink resolve and mount
where the target path could be replaced.
Please note that this change requires an updated version of bubblewrap.
Resolves: CVE-2024-42472, GHSA-7hgv-f2j8-xw87
[smcv: Make whitespace consistent]
Co-authored-by: Simon McVittie <smcv@collabora.com>
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
common/flatpak-context.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/common/flatpak-context.c b/common/flatpak-context.c
index 8c784acf..baa62728 100644
--- a/common/flatpak-context.c
+++ b/common/flatpak-context.c
@@ -2813,10 +2813,10 @@ flatpak_context_append_bwrap_filesystem (FlatpakContext *context,
continue;
}
- g_autofree char *src_via_proc = g_strdup_printf ("/proc/self/fd/%d", src_fd);
+ g_autofree char *src_via_proc = g_strdup_printf ("%d", src_fd);
flatpak_bwrap_add_fd (bwrap, glnx_steal_fd (&src_fd));
- flatpak_bwrap_add_bind_arg (bwrap, "--bind", src_via_proc, dest);
+ flatpak_bwrap_add_bind_arg (bwrap, "--bind-fd", src_via_proc, dest);
}
}
--
2.46.0

View File

@ -1,86 +0,0 @@
From cb6fce9e4122ace2960c437def3b1a197bb49b3a Mon Sep 17 00:00:00 2001
From: Ryan Gonzalez <rymg19@gmail.com>
Date: Tue, 2 Mar 2021 13:20:07 -0600
Subject: [PATCH 1/3] Disallow @@ and @@u usage in desktop files
Fixes #4146.
---
common/flatpak-dir.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
index e6e4d6fb3..7d3374dad 100644
--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
@@ -7139,6 +7139,8 @@ export_desktop_file (const char *app,
g_string_append_printf (new_exec, " @@ %s @@", arg);
else if (strcasecmp (arg, "%u") == 0)
g_string_append_printf (new_exec, " @@u %s @@", arg);
+ else if (strcmp (arg, "@@") == 0 || strcmp (arg, "@@u") == 0)
+ g_print (_("Skipping invalid Exec argument %s\n"), arg);
else
g_string_append_printf (new_exec, " %s", arg);
}
From 0bdcb88b2d0013aa435dc03950fb42cef2cbd359 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Fri, 5 Mar 2021 13:49:36 +0000
Subject: [PATCH 2/3] dir: Reserve the whole @@ prefix
If we add new features analogous to file forwarding later, we might
find that we need a different magic token. Let's reserve the whole
@@* namespace so we can call it @@something-else.
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
common/flatpak-dir.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
index 7d3374dad..facfab37a 100644
--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
@@ -7139,7 +7139,7 @@ export_desktop_file (const char *app,
g_string_append_printf (new_exec, " @@ %s @@", arg);
else if (strcasecmp (arg, "%u") == 0)
g_string_append_printf (new_exec, " @@u %s @@", arg);
- else if (strcmp (arg, "@@") == 0 || strcmp (arg, "@@u") == 0)
+ else if (g_str_has_prefix (arg, "@@"))
g_print (_("Skipping invalid Exec argument %s\n"), arg);
else
g_string_append_printf (new_exec, " %s", arg);
From 230f4c3521cd0dffa446ab9b70e958cdd9241bbe Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Fri, 5 Mar 2021 13:51:33 +0000
Subject: [PATCH 3/3] dir: Refuse to export .desktop files with suspicious uses
of @@ tokens
This is either a malicious/compromised app trying to do an attack, or
a mistake that will break handling of %f, %u and so on. Either way,
if we refuse to export the .desktop file, resulting in installation
failing, then it makes the rejection more obvious than quietly
removing the magic tokens.
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
common/flatpak-dir.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
index facfab37a..c5edf346f 100644
--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
@@ -7140,7 +7140,11 @@ export_desktop_file (const char *app,
else if (strcasecmp (arg, "%u") == 0)
g_string_append_printf (new_exec, " @@u %s @@", arg);
else if (g_str_has_prefix (arg, "@@"))
- g_print (_("Skipping invalid Exec argument %s\n"), arg);
+ {
+ flatpak_fail_error (error, FLATPAK_ERROR_EXPORT_FAILED,
+ _("Invalid Exec argument %s"), arg);
+ goto out;
+ }
else
g_string_append_printf (new_exec, " %s", arg);
}

View File

@ -1,818 +0,0 @@
From e49dee0f37e0264ecd55b86832955d8b98d0d74d Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Wed, 1 Sep 2021 11:53:23 +0100
Subject: [PATCH 01/11] run: Add an errno value to seccomp filters
At the moment, if we block a syscall we always make it fail with EPERM,
but this is risky: user-space libraries can start to use new replacements
for old syscalls at any time, and will often treat EPERM as a fatal error.
For new syscalls, we should make the syscall fail with ENOSYS, which is
indistinguishable from running on an older kernel and will cause fallback
to an older implementation, for example clone3() to clone().
In future we should probably move from EPERM to ENOSYS for some of the
syscalls we already block, but for now keep the status quo.
This is a prerequisite for fixing the vulnerability tracked as
GHSA-67h7-w3jq-vh4q.
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
common/flatpak-run.c | 62 +++++++++++++++++++++++++-------------------
1 file changed, 36 insertions(+), 26 deletions(-)
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index 3e26710009f9..14212e1f6e55 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -2623,61 +2623,63 @@ setup_seccomp (FlatpakBwrap *bwrap,
struct
{
int scall;
+ int errnum;
struct scmp_arg_cmp *arg;
} syscall_blocklist[] = {
/* Block dmesg */
- {SCMP_SYS (syslog)},
+ {SCMP_SYS (syslog), EPERM},
/* Useless old syscall */
- {SCMP_SYS (uselib)},
+ {SCMP_SYS (uselib), EPERM},
/* Don't allow disabling accounting */
- {SCMP_SYS (acct)},
+ {SCMP_SYS (acct), EPERM},
/* 16-bit code is unnecessary in the sandbox, and modify_ldt is a
historic source of interesting information leaks. */
- {SCMP_SYS (modify_ldt)},
+ {SCMP_SYS (modify_ldt), EPERM},
/* Don't allow reading current quota use */
- {SCMP_SYS (quotactl)},
+ {SCMP_SYS (quotactl), EPERM},
/* Don't allow access to the kernel keyring */
- {SCMP_SYS (add_key)},
- {SCMP_SYS (keyctl)},
- {SCMP_SYS (request_key)},
+ {SCMP_SYS (add_key), EPERM},
+ {SCMP_SYS (keyctl), EPERM},
+ {SCMP_SYS (request_key), EPERM},
/* Scary VM/NUMA ops */
- {SCMP_SYS (move_pages)},
- {SCMP_SYS (mbind)},
- {SCMP_SYS (get_mempolicy)},
- {SCMP_SYS (set_mempolicy)},
- {SCMP_SYS (migrate_pages)},
+ {SCMP_SYS (move_pages), EPERM},
+ {SCMP_SYS (mbind), EPERM},
+ {SCMP_SYS (get_mempolicy), EPERM},
+ {SCMP_SYS (set_mempolicy), EPERM},
+ {SCMP_SYS (migrate_pages), EPERM},
/* Don't allow subnamespace setups: */
- {SCMP_SYS (unshare)},
- {SCMP_SYS (mount)},
- {SCMP_SYS (pivot_root)},
+ {SCMP_SYS (unshare), EPERM},
+ {SCMP_SYS (mount), EPERM},
+ {SCMP_SYS (pivot_root), EPERM},
#if defined(__s390__) || defined(__s390x__) || defined(__CRIS__)
/* Architectures with CONFIG_CLONE_BACKWARDS2: the child stack
* and flags arguments are reversed so the flags come second */
- {SCMP_SYS (clone), &SCMP_A1 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},
+ {SCMP_SYS (clone), EPERM, &SCMP_A1 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},
#else
/* Normally the flags come first */
- {SCMP_SYS (clone), &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},
+ {SCMP_SYS (clone), EPERM, &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},
#endif
/* Don't allow faking input to the controlling tty (CVE-2017-5226) */
- {SCMP_SYS (ioctl), &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)},
+ {SCMP_SYS (ioctl), EPERM, &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)},
};
struct
{
int scall;
+ int errnum;
struct scmp_arg_cmp *arg;
} syscall_nondevel_blocklist[] = {
/* Profiling operations; we expect these to be done by tools from outside
* the sandbox. In particular perf has been the source of many CVEs.
*/
- {SCMP_SYS (perf_event_open)},
+ {SCMP_SYS (perf_event_open), EPERM},
/* Don't allow you to switch to bsd emulation or whatnot */
- {SCMP_SYS (personality), &SCMP_A0 (SCMP_CMP_NE, allowed_personality)},
- {SCMP_SYS (ptrace)}
+ {SCMP_SYS (personality), EPERM, &SCMP_A0 (SCMP_CMP_NE, allowed_personality)},
+ {SCMP_SYS (ptrace), EPERM}
};
/* Blocklist all but unix, inet, inet6 and netlink */
struct
@@ -2762,10 +2764,14 @@ setup_seccomp (FlatpakBwrap *bwrap,
for (i = 0; i < G_N_ELEMENTS (syscall_blocklist); i++)
{
int scall = syscall_blocklist[i].scall;
+ int errnum = syscall_blocklist[i].errnum;
+
+ g_return_val_if_fail (errnum == EPERM || errnum == ENOSYS, FALSE);
+
if (syscall_blocklist[i].arg)
- r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (EPERM), scall, 1, *syscall_blocklist[i].arg);
+ r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 1, *syscall_blocklist[i].arg);
else
- r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (EPERM), scall, 0);
+ r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0);
if (r < 0 && r == -EFAULT /* unknown syscall */)
return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall);
}
@@ -2775,10 +2781,14 @@ setup_seccomp (FlatpakBwrap *bwrap,
for (i = 0; i < G_N_ELEMENTS (syscall_nondevel_blocklist); i++)
{
int scall = syscall_nondevel_blocklist[i].scall;
+ int errnum = syscall_nondevel_blocklist[i].errnum;
+
+ g_return_val_if_fail (errnum == EPERM || errnum == ENOSYS, FALSE);
+
if (syscall_nondevel_blocklist[i].arg)
- r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (EPERM), scall, 1, *syscall_nondevel_blocklist[i].arg);
+ r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 1, *syscall_nondevel_blocklist[i].arg);
else
- r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (EPERM), scall, 0);
+ r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0);
if (r < 0 && r == -EFAULT /* unknown syscall */)
return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall);
--
2.31.1
From 0f1fbc35a6c3d17465614427fadaf9866984a297 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Wed, 1 Sep 2021 12:44:04 +0100
Subject: [PATCH 02/11] run: Add cross-references for some other seccomp
syscall filters
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
common/flatpak-run.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index 14212e1f6e55..d51e535b822f 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -2618,6 +2618,10 @@ setup_seccomp (FlatpakBwrap *bwrap,
* https://git.gnome.org/browse/linux-user-chroot
* in src/setup-seccomp.c
*
+ * Other useful resources:
+ * https://github.com/systemd/systemd/blob/HEAD/src/shared/seccomp-util.c
+ * https://github.com/moby/moby/blob/HEAD/profiles/seccomp/default.json
+ *
**** END NOTE ON CODE SHARING
*/
struct
--
2.31.1
From 5dcb1f731c6dacf85ad5ea61230f049cbf2b3bbf Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Wed, 1 Sep 2021 14:17:04 +0100
Subject: [PATCH 03/11] common: Add a list of recently-added Linux syscalls
Historically, syscalls could take arbitrarily-different values on
different architectures, but new syscalls are added with syscall numbers
that align on each architecture.
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
common/Makefile.am.inc | 1 +
common/flatpak-run.c | 2 +
common/flatpak-syscalls-private.h | 197 ++++++++++++++++++++++++++++++
3 files changed, 200 insertions(+)
create mode 100644 common/flatpak-syscalls-private.h
diff --git a/common/Makefile.am.inc b/common/Makefile.am.inc
index 82d85ad78724..599146ab00b9 100644
--- a/common/Makefile.am.inc
+++ b/common/Makefile.am.inc
@@ -153,6 +153,7 @@ libflatpak_common_la_SOURCES = \
common/flatpak-remote.c \
common/flatpak-run-private.h \
common/flatpak-run.c \
+ common/flatpak-syscalls-private.h \
common/flatpak-transaction-private.h \
common/flatpak-transaction.c \
common/flatpak-transaction.h \
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index d51e535b822f..7015b11a07fe 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -41,6 +41,8 @@
#include <libmalcontent/malcontent.h>
#endif
+#include "flatpak-syscalls-private.h"
+
#ifdef ENABLE_SECCOMP
#include <seccomp.h>
#endif
diff --git a/common/flatpak-syscalls-private.h b/common/flatpak-syscalls-private.h
new file mode 100644
index 000000000000..04eb38ce3631
--- /dev/null
+++ b/common/flatpak-syscalls-private.h
@@ -0,0 +1,197 @@
+/*
+ * Copyright 2021 Collabora Ltd.
+ * SPDX-License-Identifier: LGPL-2.1-or-later
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#pragma once
+
+#include <sys/syscall.h>
+
+#if defined(_MIPS_SIM)
+# if _MIPS_SIM == _MIPS_SIM_ABI32
+# define FLATPAK_MISSING_SYSCALL_BASE 4000
+# elif _MIPS_SIM == _MIPS_SIM_ABI64
+# define FLATPAK_MISSING_SYSCALL_BASE 5000
+# elif _MIPS_SIM == _MIPS_SIM_NABI32
+# define FLATPAK_MISSING_SYSCALL_BASE 6000
+# else
+# error "Unknown MIPS ABI"
+# endif
+#endif
+
+#if defined(__ia64__)
+# define FLATPAK_MISSING_SYSCALL_BASE 1024
+#endif
+
+#if defined(__alpha__)
+# define FLATPAK_MISSING_SYSCALL_BASE 110
+#endif
+
+#if defined(__x86_64__) && defined(__ILP32__)
+# define FLATPAK_MISSING_SYSCALL_BASE 0x40000000
+#endif
+
+/*
+ * FLATPAK_MISSING_SYSCALL_BASE:
+ *
+ * Number to add to the syscall numbers of recently-added syscalls
+ * to get the appropriate syscall for the current ABI.
+ */
+#ifndef FLATPAK_MISSING_SYSCALL_BASE
+# define FLATPAK_MISSING_SYSCALL_BASE 0
+#endif
+
+#ifndef __NR_open_tree
+# define __NR_open_tree (FLATPAK_MISSING_SYSCALL_BASE + 428)
+#endif
+#ifndef __SNR_open_tree
+# define __SNR_open_tree __NR_open_tree
+#endif
+
+#ifndef __NR_move_mount
+# define __NR_move_mount (FLATPAK_MISSING_SYSCALL_BASE + 429)
+#endif
+#ifndef __SNR_move_mount
+# define __SNR_move_mount __NR_move_mount
+#endif
+
+#ifndef __NR_fsopen
+# define __NR_fsopen (FLATPAK_MISSING_SYSCALL_BASE + 430)
+#endif
+#ifndef __SNR_fsopen
+# define __SNR_fsopen __NR_fsopen
+#endif
+
+#ifndef __NR_fsconfig
+# define __NR_fsconfig (FLATPAK_MISSING_SYSCALL_BASE + 431)
+#endif
+#ifndef __SNR_fsconfig
+# define __SNR_fsconfig __NR_fsconfig
+#endif
+
+#ifndef __NR_fsmount
+# define __NR_fsmount (FLATPAK_MISSING_SYSCALL_BASE + 432)
+#endif
+#ifndef __SNR_fsmount
+# define __SNR_fsmount __NR_fsmount
+#endif
+
+#ifndef __NR_fspick
+# define __NR_fspick (FLATPAK_MISSING_SYSCALL_BASE + 433)
+#endif
+#ifndef __SNR_fspick
+# define __SNR_fspick __NR_fspick
+#endif
+
+#ifndef __NR_pidfd_open
+# define __NR_pidfd_open (FLATPAK_MISSING_SYSCALL_BASE + 434)
+#endif
+#ifndef __SNR_pidfd_open
+# define __SNR_pidfd_open __NR_pidfd_open
+#endif
+
+#ifndef __NR_clone3
+# define __NR_clone3 (FLATPAK_MISSING_SYSCALL_BASE + 435)
+#endif
+#ifndef __SNR_clone3
+# define __SNR_clone3 __NR_clone3
+#endif
+
+#ifndef __NR_close_range
+# define __NR_close_range (FLATPAK_MISSING_SYSCALL_BASE + 436)
+#endif
+#ifndef __SNR_close_range
+# define __SNR_close_range __NR_close_range
+#endif
+
+#ifndef __NR_openat2
+# define __NR_openat2 (FLATPAK_MISSING_SYSCALL_BASE + 437)
+#endif
+#ifndef __SNR_openat2
+# define __SNR_openat2 __NR_openat2
+#endif
+
+#ifndef __NR_pidfd_getfd
+# define __NR_pidfd_getfd (FLATPAK_MISSING_SYSCALL_BASE + 438)
+#endif
+#ifndef __SNR_pidfd_getfd
+# define __SNR_pidfd_getfd __NR_pidfd_getfd
+#endif
+
+#ifndef __NR_faccessat2
+# define __NR_faccessat2 (FLATPAK_MISSING_SYSCALL_BASE + 439)
+#endif
+#ifndef __SNR_faccessat2
+# define __SNR_faccessat2 __NR_faccessat2
+#endif
+
+#ifndef __NR_process_madvise
+# define __NR_process_madvise (FLATPAK_MISSING_SYSCALL_BASE + 440)
+#endif
+#ifndef __SNR_process_madvise
+# define __SNR_process_madvise __NR_process_madvise
+#endif
+
+#ifndef __NR_epoll_pwait2
+# define __NR_epoll_pwait2 (FLATPAK_MISSING_SYSCALL_BASE + 441)
+#endif
+#ifndef __SNR_epoll_pwait2
+# define __SNR_epoll_pwait2 __NR_epoll_pwait2
+#endif
+
+#ifndef __NR_mount_setattr
+# define __NR_mount_setattr (FLATPAK_MISSING_SYSCALL_BASE + 442)
+#endif
+#ifndef __SNR_mount_setattr
+# define __SNR_mount_setattr __NR_mount_setattr
+#endif
+
+#ifndef __NR_quotactl_fd
+# define __NR_quotactl_fd (FLATPAK_MISSING_SYSCALL_BASE + 443)
+#endif
+#ifndef __SNR_quotactl_fd
+# define __SNR_quotactl_fd __NR_quotactl_fd
+#endif
+
+#ifndef __NR_landlock_create_ruleset
+# define __NR_landlock_create_ruleset (FLATPAK_MISSING_SYSCALL_BASE + 444)
+#endif
+#ifndef __SNR_landlock_create_ruleset
+# define __SNR_landlock_create_ruleset __NR_landlock_create_ruleset
+#endif
+
+#ifndef __NR_landlock_add_rule
+# define __NR_landlock_add_rule (FLATPAK_MISSING_SYSCALL_BASE + 445)
+#endif
+#ifndef __SNR_landlock_add_rule
+# define __SNR_landlock_add_rule __NR_landlock_add_rule
+#endif
+
+#ifndef __NR_landlock_restrict_self
+# define __NR_landlock_restrict_self (FLATPAK_MISSING_SYSCALL_BASE + 446)
+#endif
+#ifndef __SNR_landlock_restrict_self
+# define __SNR_landlock_restrict_self __NR_landlock_restrict_self
+#endif
+
+#ifndef __NR_memfd_secret
+# define __NR_memfd_secret (FLATPAK_MISSING_SYSCALL_BASE + 447)
+#endif
+#ifndef __SNR_memfd_secret
+# define __SNR_memfd_secret __NR_memfd_secret
+#endif
+
+/* Last updated: Linux 5.14, syscall numbers < 448 */
--
2.31.1
From 2965b7fa2de4ff13b712dd6ffa7e77bfb431530c Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Wed, 1 Sep 2021 11:59:00 +0100
Subject: [PATCH 04/11] run: Block clone3() in sandbox
clone3() can be used to implement clone() with CLONE_NEWUSER, allowing
a sandboxed process to get CAP_SYS_ADMIN in a new namespace and
manipulate its root directory. We need to block this so that AF_UNIX-based
socket servers (X11, Wayland, etc.) can rely on
/proc/PID/root/.flatpak-info existing for all Flatpak-sandboxed apps.
Partially fixes GHSA-67h7-w3jq-vh4q.
Thanks: an anonymous reporter
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
common/flatpak-run.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index 7015b11a07fe..25b3ca40a65a 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -2671,6 +2671,12 @@ setup_seccomp (FlatpakBwrap *bwrap,
/* Don't allow faking input to the controlling tty (CVE-2017-5226) */
{SCMP_SYS (ioctl), EPERM, &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)},
+
+ /* seccomp can't look into clone3()'s struct clone_args to check whether
+ * the flags are OK, so we have no choice but to block clone3().
+ * Return ENOSYS so user-space will fall back to clone().
+ * (GHSA-67h7-w3jq-vh4q; see also https://github.com/moby/moby/commit/9f6b562d) */
+ {SCMP_SYS (clone3), ENOSYS},
};
struct
--
2.31.1
From 8dd2c81f79e364f485b708e6170a4dbb5c0379d4 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Wed, 1 Sep 2021 12:45:54 +0100
Subject: [PATCH 05/11] run: Disallow recently-added mount-manipulation
syscalls
If we don't allow mount() then we shouldn't allow these either.
Partially fixes GHSA-67h7-w3jq-vh4q.
Thanks: an anonymous reporter
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
common/flatpak-run.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index 25b3ca40a65a..a06f75690528 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -2677,6 +2677,18 @@ setup_seccomp (FlatpakBwrap *bwrap,
* Return ENOSYS so user-space will fall back to clone().
* (GHSA-67h7-w3jq-vh4q; see also https://github.com/moby/moby/commit/9f6b562d) */
{SCMP_SYS (clone3), ENOSYS},
+
+ /* New mount manipulation APIs can also change our VFS. There's no
+ * legitimate reason to do these in the sandbox, so block all of them
+ * rather than thinking about which ones might be dangerous.
+ * (GHSA-67h7-w3jq-vh4q) */
+ {SCMP_SYS (open_tree), ENOSYS},
+ {SCMP_SYS (move_mount), ENOSYS},
+ {SCMP_SYS (fsopen), ENOSYS},
+ {SCMP_SYS (fsconfig), ENOSYS},
+ {SCMP_SYS (fsmount), ENOSYS},
+ {SCMP_SYS (fspick), ENOSYS},
+ {SCMP_SYS (mount_setattr), ENOSYS},
};
struct
--
2.31.1
From d448d643d0c5a0b315bbc4eccc605c1afcde8111 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Wed, 1 Sep 2021 14:19:31 +0100
Subject: [PATCH 06/11] run: Block setns()
If we don't allow unshare() or clone() with CLONE_NEWUSER, we also
shouldn't allow joining an existing (but different) namespace.
Partially fixes GHSA-67h7-w3jq-vh4q.
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
common/flatpak-run.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index a06f75690528..09ab8369bcf2 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -2658,6 +2658,7 @@ setup_seccomp (FlatpakBwrap *bwrap,
/* Don't allow subnamespace setups: */
{SCMP_SYS (unshare), EPERM},
+ {SCMP_SYS (setns), EPERM},
{SCMP_SYS (mount), EPERM},
{SCMP_SYS (pivot_root), EPERM},
#if defined(__s390__) || defined(__s390x__) || defined(__CRIS__)
--
2.31.1
From c553d29a6d2402489fe2aab2e1fd7f27ffc0ba89 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Wed, 1 Sep 2021 14:20:29 +0100
Subject: [PATCH 07/11] run: Don't allow unmounting filesystems
If we don't allow mounting filesystems, we shouldn't allow unmounting
either.
Partially fixes GHSA-67h7-w3jq-vh4q.
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
common/flatpak-run.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index 09ab8369bcf2..d298f91804ff 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -2660,6 +2660,8 @@ setup_seccomp (FlatpakBwrap *bwrap,
{SCMP_SYS (unshare), EPERM},
{SCMP_SYS (setns), EPERM},
{SCMP_SYS (mount), EPERM},
+ {SCMP_SYS (umount), EPERM},
+ {SCMP_SYS (umount2), EPERM},
{SCMP_SYS (pivot_root), EPERM},
#if defined(__s390__) || defined(__s390x__) || defined(__CRIS__)
/* Architectures with CONFIG_CLONE_BACKWARDS2: the child stack
--
2.31.1
From 0b85038cd1bd2fba41225fa2180ee3cbbde68ee9 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Wed, 1 Sep 2021 14:21:04 +0100
Subject: [PATCH 08/11] run: Don't allow chroot()
If we don't allow pivot_root() then there seems no reason why we should
allow chroot().
Partially fixes GHSA-67h7-w3jq-vh4q.
Signed-off-by: Simon McVittie <smcv@collabora.com>
---
common/flatpak-run.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index d298f91804ff..9b3648065b82 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -2663,6 +2663,7 @@ setup_seccomp (FlatpakBwrap *bwrap,
{SCMP_SYS (umount), EPERM},
{SCMP_SYS (umount2), EPERM},
{SCMP_SYS (pivot_root), EPERM},
+ {SCMP_SYS (chroot), EPERM},
#if defined(__s390__) || defined(__s390x__) || defined(__CRIS__)
/* Architectures with CONFIG_CLONE_BACKWARDS2: the child stack
* and flags arguments are reversed so the flags come second */
--
2.31.1
From f0e2093275199ec6ff023c332f012f42615e9f8f Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Fri, 8 Oct 2021 17:05:07 +0100
Subject: [PATCH 09/11] run: Handle unknown syscalls as intended
The error-handling here was
if (r < 0 && r == -EFAULT)
but Alex says it was almost certainly intended to be
if (r < 0 && r != -EFAULT)
so that syscalls not known to libseccomp are not a fatal error.
Instead of literally making that change, emit a debug message on -EFAULT
so we can see what is going on.
This temporarily weakens our defence against CVE-2021-41133
(GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed
version of libseccomp does not know about the recently-added syscalls,
but the kernel does, then we will not prevent non-native executables
from using those syscalls.
Resolves: https://github.com/flatpak/flatpak/issues/4458
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit d419fa67038370e4f4c3ce8c3b5f672d4876cfc8)
(cherry picked from commit 270701f900c8612cf1fc5e6f5a6e2eb6459708c1)
---
common/flatpak-run.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index 9b3648065b82..04a034f27392 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -2800,7 +2800,16 @@ setup_seccomp (FlatpakBwrap *bwrap,
r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 1, *syscall_blocklist[i].arg);
else
r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0);
- if (r < 0 && r == -EFAULT /* unknown syscall */)
+
+ /* EFAULT means "internal libseccomp error", but in practice we get
+ * this for syscall numbers added via flatpak-syscalls-private.h
+ * when trying to filter them on a non-native architecture, because
+ * libseccomp cannot map the syscall number to a name and back to a
+ * number for the non-native architecture. */
+ if (r == -EFAULT)
+ flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?",
+ scall);
+ else if (r < 0)
return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall);
}
@@ -2818,7 +2827,11 @@ setup_seccomp (FlatpakBwrap *bwrap,
else
r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0);
- if (r < 0 && r == -EFAULT /* unknown syscall */)
+ /* See above for the meaning of EFAULT. */
+ if (errno == EFAULT)
+ flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?",
+ scall);
+ else if (r < 0)
return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall);
}
}
--
2.31.1
From de504cb72d2978ab67c9aa4bbbd63895128199c2 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Fri, 8 Oct 2021 19:00:13 +0100
Subject: [PATCH 10/11] Fix handling of syscalls only allowed by --devel
This was incorrectly looking at errno instead of -r.
Fixes: 0b38b0f0 "run: Handle unknown syscalls as intended"
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 3fc8c672676ae016f8e7cc90481b2feecbad9861)
(cherry picked from commit 97e128c2c1520202486b5e165e1734cbb421568a)
---
common/flatpak-run.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index 04a034f27392..87988b9f7e51 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -2828,7 +2828,7 @@ setup_seccomp (FlatpakBwrap *bwrap,
r = seccomp_rule_add (seccomp, SCMP_ACT_ERRNO (errnum), scall, 0);
/* See above for the meaning of EFAULT. */
- if (errno == EFAULT)
+ if (r == -EFAULT)
flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?",
scall);
else if (r < 0)
--
2.31.1
From 81492b64bbacc3c523e150ad5164f18973852b28 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Fri, 8 Oct 2021 19:06:13 +0100
Subject: [PATCH 11/11] run: Improve error handling/diagnostics for calls into
libseccomp
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 53bde36585b88a2b96bf896ed79b40ccb6a72c54)
(cherry picked from commit bd2c58fc27fa5e31029339dbce8eea10717015f3)
---
common/flatpak-run.c | 46 ++++++++++++++++++++++++++++++++++++++------
1 file changed, 40 insertions(+), 6 deletions(-)
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index 87988b9f7e51..c72b0cd96598 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -2572,6 +2572,38 @@ static const uint32_t seccomp_x86_64_extra_arches[] = { SCMP_ARCH_X86, 0, };
static const uint32_t seccomp_aarch64_extra_arches[] = { SCMP_ARCH_ARM, 0 };
#endif
+/*
+ * @negative_errno: Result code as returned by libseccomp functions
+ *
+ * Translate a libseccomp error code into an error message. libseccomp
+ * mostly returns negative `errno` values such as `-ENOMEM`, but some
+ * standard `errno` values are used for non-standard purposes where their
+ * `strerror()` would be misleading.
+ *
+ * Returns: a string version of @negative_errno if possible
+ */
+static const char *
+flatpak_seccomp_strerror (int negative_errno)
+{
+ g_return_val_if_fail (negative_errno < 0, "Non-negative error value from libseccomp?");
+ g_return_val_if_fail (negative_errno > INT_MIN, "Out of range error value from libseccomp?");
+
+ switch (negative_errno)
+ {
+ case -EDOM:
+ return "Architecture specific failure";
+
+ case -EFAULT:
+ return "Internal libseccomp failure (unknown syscall?)";
+
+ case -ECANCELED:
+ return "System failure beyond the control of libseccomp";
+ }
+
+ /* e.g. -ENOMEM: the result of strerror() is good enough */
+ return g_strerror (-negative_errno);
+}
+
static inline void
cleanup_seccomp (void *p)
{
@@ -2769,7 +2801,7 @@ setup_seccomp (FlatpakBwrap *bwrap,
couldn't continue running. */
r = seccomp_arch_add (seccomp, arch_id);
if (r < 0 && r != -EEXIST)
- return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to add architecture to seccomp filter"));
+ return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to add architecture to seccomp filter: %s"), flatpak_seccomp_strerror (r));
if (multiarch && extra_arches != NULL)
{
@@ -2778,7 +2810,7 @@ setup_seccomp (FlatpakBwrap *bwrap,
{
r = seccomp_arch_add (seccomp, extra_arches[i]);
if (r < 0 && r != -EEXIST)
- return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to add multiarch architecture to seccomp filter"));
+ return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to add multiarch architecture to seccomp filter: %s"), flatpak_seccomp_strerror (r));
}
}
}
@@ -2810,7 +2842,7 @@ setup_seccomp (FlatpakBwrap *bwrap,
flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?",
scall);
else if (r < 0)
- return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall);
+ return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d: %s"), scall, flatpak_seccomp_strerror (r));
}
if (!devel)
@@ -2832,7 +2864,7 @@ setup_seccomp (FlatpakBwrap *bwrap,
flatpak_debug2 ("Unable to block syscall %d: syscall not known to libseccomp?",
scall);
else if (r < 0)
- return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d"), scall);
+ return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to block syscall %d: %s"), scall, flatpak_seccomp_strerror (r));
}
}
@@ -2862,8 +2894,10 @@ setup_seccomp (FlatpakBwrap *bwrap,
if (!glnx_open_anonymous_tmpfile_full (O_RDWR | O_CLOEXEC, "/tmp", &seccomp_tmpf, error))
return FALSE;
- if (seccomp_export_bpf (seccomp, seccomp_tmpf.fd) != 0)
- return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to export bpf"));
+ r = seccomp_export_bpf (seccomp, seccomp_tmpf.fd);
+
+ if (r != 0)
+ return flatpak_fail_error (error, FLATPAK_ERROR_SETUP_FAILED, _("Failed to export bpf: %s"), flatpak_seccomp_strerror (r));
lseek (seccomp_tmpf.fd, 0, SEEK_SET);
--
2.31.1

View File

@ -1,73 +0,0 @@
From 93ecea3488081a726bcd2ddb04d557decaa87f80 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Mon, 18 Jan 2021 17:52:13 +0000
Subject: [PATCH] build: Convert environment into a sequence of bwrap arguments
This means we can systematically pass the environment variables
through bwrap(1), even if it is setuid and thus is filtering out
security-sensitive environment variables. bwrap itself ends up being
run with an empty environment instead.
This fixes a regression when CVE-2021-21261 was fixed: before the
CVE fixes, LD_LIBRARY_PATH would have been passed through like this
and appeared in the `flatpak build` shell, but during the CVE fixes,
the special case that protected LD_LIBRARY_PATH was removed in favour
of the more general flatpak_bwrap_envp_to_args(). That reasoning only
works if we use flatpak_bwrap_envp_to_args(), consistently, everywhere
that we run the potentially-setuid bwrap.
Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments"
Resolves: https://github.com/flatpak/flatpak/issues/4080
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980323
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit 9a61d2c44f0a58cebcb9b2787ae88db07ca68bb0)
---
app/flatpak-builtins-build.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/app/flatpak-builtins-build.c b/app/flatpak-builtins-build.c
index 8da0de814..07ef6fc07 100644
--- a/app/flatpak-builtins-build.c
+++ b/app/flatpak-builtins-build.c
@@ -569,6 +569,8 @@ flatpak_builtin_build (int argc, char **argv, GCancellable *cancellable, GError
NULL);
}
+ flatpak_bwrap_envp_to_args (bwrap);
+
if (!flatpak_bwrap_bundle_args (bwrap, 1, -1, FALSE, error))
return FALSE;
From f91857c07ede7ef5150a38d6b8e49ee43d6b3d50 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Mon, 18 Jan 2021 18:07:38 +0000
Subject: [PATCH] dir: Pass environment via bwrap --setenv when running
apply_extra
This means we can systematically pass the environment variables
through bwrap(1), even if it is setuid and thus is filtering out
security-sensitive environment variables. bwrap ends up being
run with an empty environment instead.
As with the previous commit, this regressed while fixing CVE-2021-21261.
Fixes: 6d1773d2 "run: Convert all environment variables into bwrap arguments"
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit fb473cad801c6b61706353256cab32330557374a)
---
common/flatpak-dir.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
index ed1248e74..40767fa77 100644
--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
@@ -7426,6 +7426,8 @@ apply_extra_data (FlatpakDir *self,
app_context, NULL, NULL, NULL, cancellable, error))
return FALSE;
+ flatpak_bwrap_envp_to_args (bwrap);
+
flatpak_bwrap_add_arg (bwrap, "/app/bin/apply_extra");
flatpak_bwrap_finish (bwrap);

View File

@ -1,30 +0,0 @@
From e61282d89bffe0b2ed923d9a0158cee35996e8e4 Mon Sep 17 00:00:00 2001
From: Mourad De Clerck <bugs-debian@aquazul.com>
Date: Wed, 25 Nov 2020 13:55:28 +0100
Subject: [PATCH] profile.d: Disable gvfs plugins when listing flatpak
installations
This avoids gvfs-daemon being started when logging in as root via ssh.
Bug-Debian: https://bugs.debian.org/975710
(cherry picked from commit f69a35ceec7322e02007b45d676e0b6f1e9376b0)
---
profile/flatpak.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/profile/flatpak.sh b/profile/flatpak.sh
index 6c6e113ffd89..9dc6cf901ffd 100644
--- a/profile/flatpak.sh
+++ b/profile/flatpak.sh
@@ -5,7 +5,7 @@ if command -v flatpak > /dev/null; then
(
unset G_MESSAGES_DEBUG
echo "${XDG_DATA_HOME:-"$HOME/.local/share"}/flatpak"
- flatpak --installations
+ GIO_USE_VFS=local flatpak --installations
) | (
new_dirs=
while read -r install_path
--
2.31.1

View File

@ -0,0 +1,28 @@
From 1c73110795b865246ce3595042dcd2d5e7891359 Mon Sep 17 00:00:00 2001
From: Debarshi Ray <debarshir@gnome.org>
Date: Mon, 6 Nov 2023 20:27:16 +0100
Subject: [PATCH] Revert "selinux: Permit using systemd-userdbd"
This reverts commit 399710ada185c1ee232bc3e6266a71688eb152b7.
---
selinux/flatpak.te | 4 ----
1 file changed, 4 deletions(-)
diff --git a/selinux/flatpak.te b/selinux/flatpak.te
index bb3d80e316eb..4cf895c44abe 100644
--- a/selinux/flatpak.te
+++ b/selinux/flatpak.te
@@ -33,10 +33,6 @@ optional_policy(`
policykit_dbus_chat(flatpak_helper_t)
')
-optional_policy(`
- systemd_userdbd_stream_connect(flatpak_helper_t)
-')
-
optional_policy(`
unconfined_domain(flatpak_helper_t)
')
--
2.41.0

View File

@ -1,31 +1,33 @@
%global bubblewrap_version 0.4.0 %global bubblewrap_version 0.4.0-2
%global ostree_version 2018.9 %global ostree_version 2020.8
Name: flatpak Name: flatpak
Version: 1.8.5 Version: 1.12.9
Release: 6%{?dist} Release: 3%{?dist}
Summary: Application deployment framework for desktop apps Summary: Application deployment framework for desktop apps
License: LGPLv2+ License: LGPLv2+
URL: http://flatpak.org/ URL: http://flatpak.org/
Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz Source0: https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz
# https://bugzilla.redhat.com/show_bug.cgi?id=1918776
Patch0: flatpak-1.8.5-post-cve-fixes.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1938064
Patch1: flatpak-1.8.5-fix-CVE-2021-21381.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1980438
Patch2: flatpak-1.8.5-profile.d-Disable-gvfs-plugins-when-listing-flatpak-.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2012868
Patch3: flatpak-1.8.5-fix-CVE-2021-41133.patch
BuildRequires: autoconf %if 0%{?fedora}
BuildRequires: automake # Add Fedora flatpak repositories
Source1: flatpak-add-fedora-repos.service
%endif
# https://issues.redhat.com/browse/RHEL-4220
Patch0: flatpak-Revert-selinux-Permit-using-systemd-userdbd.patch
# Backported upstream patch for CVE-2024-42472
Patch1: flatpak-1.12.x-CVE-2024-42472.patch
BuildRequires: pkgconfig(appstream-glib) BuildRequires: pkgconfig(appstream-glib)
BuildRequires: pkgconfig(dconf) BuildRequires: pkgconfig(dconf)
BuildRequires: pkgconfig(fuse) BuildRequires: pkgconfig(fuse)
BuildRequires: pkgconfig(gdk-pixbuf-2.0) BuildRequires: pkgconfig(gdk-pixbuf-2.0)
BuildRequires: pkgconfig(gio-unix-2.0) BuildRequires: pkgconfig(gio-unix-2.0)
BuildRequires: pkgconfig(gobject-introspection-1.0) >= 1.40.0 BuildRequires: pkgconfig(gobject-introspection-1.0) >= 1.40.0
BuildRequires: pkgconfig(gpgme)
BuildRequires: pkgconfig(json-glib-1.0) BuildRequires: pkgconfig(json-glib-1.0)
BuildRequires: pkgconfig(libarchive) >= 2.8.0 BuildRequires: pkgconfig(libarchive) >= 2.8.0
BuildRequires: pkgconfig(libseccomp) BuildRequires: pkgconfig(libseccomp)
@ -41,19 +43,14 @@ BuildRequires: bubblewrap >= %{bubblewrap_version}
BuildRequires: docbook-dtds BuildRequires: docbook-dtds
BuildRequires: docbook-style-xsl BuildRequires: docbook-style-xsl
BuildRequires: gettext BuildRequires: gettext
BuildRequires: gettext-devel BuildRequires: libassuan-devel
BuildRequires: gpgme-devel
BuildRequires: gtk-doc
BuildRequires: libcap-devel BuildRequires: libcap-devel
BuildRequires: libtool BuildRequires: python3-devel
BuildRequires: python3-pyparsing BuildRequires: python3-pyparsing
BuildRequires: systemd BuildRequires: systemd
BuildRequires: /usr/bin/python3
BuildRequires: /usr/bin/xmlto BuildRequires: /usr/bin/xmlto
BuildRequires: /usr/bin/xsltproc BuildRequires: /usr/bin/xsltproc
%{?systemd_requires}
Requires: bubblewrap >= %{bubblewrap_version} Requires: bubblewrap >= %{bubblewrap_version}
Requires: librsvg2%{?_isa} Requires: librsvg2%{?_isa}
Requires: ostree-libs%{?_isa} >= %{ostree_version} Requires: ostree-libs%{?_isa} >= %{ostree_version}
@ -131,11 +128,11 @@ This package contains installed tests for %{name}.
%prep %prep
%autosetup -p1 %autosetup -p1
# Make sure to use the RHEL-lifetime supported Python and no other
%py3_shebang_fix scripts/* subprojects/variant-schema-compiler/* tests/*
%build %build
autoreconf --force --install --verbose
(if ! test -x configure; then NOCONFIGURE=1 ./autogen.sh; CONFIGFLAGS=--enable-gtk-doc; fi; (if ! test -x configure; then NOCONFIGURE=1 ./autogen.sh; CONFIGFLAGS=--enable-gtk-doc; fi;
# Generate consistent IDs between runs to avoid multilib problems. # Generate consistent IDs between runs to avoid multilib problems.
export XMLTO_FLAGS="--stringparam generate.consistent.ids=1" export XMLTO_FLAGS="--stringparam generate.consistent.ids=1"
@ -156,8 +153,18 @@ install -pm 644 NEWS README.md %{buildroot}/%{_pkgdocdir}
install -d %{buildroot}%{_localstatedir}/lib/flatpak install -d %{buildroot}%{_localstatedir}/lib/flatpak
install -d %{buildroot}%{_sysconfdir}/flatpak/remotes.d install -d %{buildroot}%{_sysconfdir}/flatpak/remotes.d
rm -f %{buildroot}%{_libdir}/libflatpak.la rm -f %{buildroot}%{_libdir}/libflatpak.la
%if 0%{?fedora}
install -D -t %{buildroot}%{_unitdir} %{SOURCE1}
%endif
%find_lang %{name} %find_lang %{name}
# Work around selinux denials, see
# https://github.com/flatpak/flatpak/issues/4128 for details. Note that we are
# going to need the system env generator if we should enable malcontent support
# in the future.
rm %{buildroot}%{_systemd_system_env_generator_dir}/60-flatpak-system-only
%pre %pre
getent group flatpak >/dev/null || groupadd -r flatpak getent group flatpak >/dev/null || groupadd -r flatpak
@ -167,15 +174,28 @@ getent passwd flatpak >/dev/null || \
exit 0 exit 0
%if 0%{?fedora}
%post %post
# Create an (empty) system-wide repo. %systemd_post flatpak-add-fedora-repos.service
flatpak remote-list --system &> /dev/null || : %endif
%post selinux %post selinux
%selinux_modules_install %{_datadir}/selinux/packages/flatpak.pp.bz2 %selinux_modules_install %{_datadir}/selinux/packages/flatpak.pp.bz2
%if 0%{?fedora}
%preun
%systemd_preun flatpak-add-fedora-repos.service
%endif
%if 0%{?fedora}
%postun
%systemd_postun_with_restart flatpak-add-fedora-repos.service
%endif
%postun selinux %postun selinux
if [ $1 -eq 0 ]; then if [ $1 -eq 0 ]; then
%selinux_modules_uninstall %{_datadir}/selinux/packages/flatpak.pp.bz2 %selinux_modules_uninstall %{_datadir}/selinux/packages/flatpak.pp.bz2
@ -218,6 +238,7 @@ fi
%{_mandir}/man5/flatpak-installation.5* %{_mandir}/man5/flatpak-installation.5*
%{_mandir}/man5/flatpak-remote.5* %{_mandir}/man5/flatpak-remote.5*
%{_sysconfdir}/dbus-1/system.d/org.freedesktop.Flatpak.SystemHelper.conf %{_sysconfdir}/dbus-1/system.d/org.freedesktop.Flatpak.SystemHelper.conf
%dir %{_sysconfdir}/flatpak
%{_sysconfdir}/flatpak/remotes.d %{_sysconfdir}/flatpak/remotes.d
%{_sysconfdir}/profile.d/flatpak.sh %{_sysconfdir}/profile.d/flatpak.sh
%{_sysusersdir}/flatpak.conf %{_sysusersdir}/flatpak.conf
@ -226,6 +247,10 @@ fi
%{_userunitdir}/flatpak-portal.service %{_userunitdir}/flatpak-portal.service
%{_systemd_user_env_generator_dir}/60-flatpak %{_systemd_user_env_generator_dir}/60-flatpak
%if 0%{?fedora}
%{_unitdir}/flatpak-add-fedora-repos.service
%endif
%files devel %files devel
%{_datadir}/gir-1.0/Flatpak-1.0.gir %{_datadir}/gir-1.0/Flatpak-1.0.gir
%{_datadir}/gtk-doc/ %{_datadir}/gtk-doc/
@ -255,6 +280,39 @@ fi
%changelog %changelog
* Wed Sep 04 2024 Kalev Lember <klember@redhat.com> - 1.12.9-3
- Fix previous changelog entry
* Mon Sep 02 2024 Kalev Lember <klember@redhat.com> - 1.12.9-2
- Backport upstream patches for CVE-2024-42472
- Require bubblewrap version that has new --bind-fd option backported for
addressing CVE-2024-42472
* Tue Apr 30 2024 Kalev Lember <klember@redhat.com> - 1.12.9-1
- Update to 1.12.9 (CVE-2024-32462)
* Mon Nov 06 2023 Debarshi Ray <rishi@fedoraproject.org> - 1.12.8-1
- Rebase to 1.12.8 (RHEL-4220)
* Mon Nov 06 2023 Debarshi Ray <rishi@fedoraproject.org> - 1.10.8-3
- Let flatpak own %%{_sysconfdir}/flatpak (RHEL-15822)
* Mon Sep 04 2023 Miro Hrončok <mhroncok@redhat.com> - 1.10.8-2
- Make sure to use the RHEL-lifetime supported Python and no other (RHEL-2225)
* Tue Jul 11 2023 Debarshi Ray <rishi@fedoraproject.org> - 1.10.8-1
- Rebase to 1.10.8 (#2222103)
- Fix CVE-2023-28100 and CVE-2023-28101 (#2180311)
* Wed Mar 09 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.10.7-1
- Rebase to 1.10.7 (#2062417)
* Thu Feb 03 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.8.7-1
- Rebase to 1.8.7 (#2041972)
* Tue Jan 25 2022 Debarshi Ray <rishi@fedoraproject.org> - 1.8.6-1
- Rebase to 1.8.6 (#2010533)
* Tue Oct 26 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.8.5-6 * Tue Oct 26 2021 Debarshi Ray <rishi@fedoraproject.org> - 1.8.5-6
- Fix CVE-2021-41133 (#2012869) - Fix CVE-2021-41133 (#2012869)