From b9f4200b9674638ee2879db568e30219e81d5ed8 Mon Sep 17 00:00:00 2001 From: Michael Catanzaro Date: Thu, 12 May 2022 12:44:59 -0500 Subject: [PATCH 1/2] Bind gssproxy socket into sandbox environment We're using a directory rather than binding a socket directly for increased robustness. In theory, if gssproxy crashes on the host, a new socket that a new gssproxy process creates should be immediately visible inside the sandbox. Nifty. Previously, applications that wanted to use Kerberos authentication would have to punch a sandbox hole for the host's KCM socket. In contrast, this gssproxy socket is designed for use by sandboxed apps. See also: https://github.com/gssapi/gssproxy/issues/45 --- common/flatpak-run.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/common/flatpak-run.c b/common/flatpak-run.c index bf85f47c..3ec007cf 100644 --- a/common/flatpak-run.c +++ b/common/flatpak-run.c @@ -955,6 +955,19 @@ flatpak_run_add_pulseaudio_args (FlatpakBwrap *bwrap, flatpak_bwrap_add_args (bwrap, "--dev-bind", "/dev/snd", "/dev/snd", NULL); } +static void +flatpak_run_add_gssproxy_args (FlatpakBwrap *bwrap) +{ + /* We only expose the gssproxy user service. The gssproxy system service is + * not intended to be exposed to sandboxed environments. + */ + g_autofree char *gssproxy_host_dir = g_build_filename (g_get_user_runtime_dir (), "gssproxy", NULL); + const char *gssproxy_sandboxed_dir = "/run/flatpak/gssproxy/"; + + if (g_file_test (gssproxy_host_dir, G_FILE_TEST_EXISTS)) + flatpak_bwrap_add_args (bwrap, "--ro-bind", gssproxy_host_dir, gssproxy_sandboxed_dir, NULL); +} + static void flatpak_run_add_resolved_args (FlatpakBwrap *bwrap) { @@ -4611,7 +4624,10 @@ flatpak_run_app (FlatpakDecomposed *app_ref, } if ((app_context->shares & FLATPAK_CONTEXT_SHARED_NETWORK) != 0) - flatpak_run_add_resolved_args (bwrap); + { + flatpak_run_add_gssproxy_args (bwrap); + flatpak_run_add_resolved_args (bwrap); + } flatpak_run_add_journal_args (bwrap); add_font_path_args (bwrap); -- 2.37.3 From 9e32923a46ffd336dffc4fa7c7a1ee05ae2d39ae Mon Sep 17 00:00:00 2001 From: Michael Catanzaro Date: Mon, 23 May 2022 09:59:48 -0500 Subject: [PATCH 2/2] Block KRB5CCNAME from inheriting into sandbox If this environment variable is set on the host, it's going to mess up authentication in the sandbox. For example, if the host has: KRB5CCNAME=KCM: then the sandboxed process will try to use the host KCM socket, which is not available in the sandboxed environment, rather than the gssproxy socket that we want it to use. We need to unset it to ensure that whatever configuration we ship in the runtime gets used instead. We have switched the GNOME runtime to use an empty krb5.conf and it works as long as we don't break it with this environment variable meant for the host. --- common/flatpak-run.c | 4 +++- doc/flatpak-run.xml | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/common/flatpak-run.c b/common/flatpak-run.c index 3ec007cf..b650be46 100644 --- a/common/flatpak-run.c +++ b/common/flatpak-run.c @@ -1887,7 +1887,8 @@ static const ExportData default_exports[] = { {"XDG_RUNTIME_DIR", NULL}, /* Some env vars are common enough and will affect the sandbox badly - if set on the host. We clear these always. */ + if set on the host. We clear these always. If updating this list, + also update the list in flatpak-run.xml. */ {"PYTHONPATH", NULL}, {"PERLLIB", NULL}, {"PERL5LIB", NULL}, @@ -1904,6 +1905,7 @@ static const ExportData default_exports[] = { {"GST_PTP_HELPER", NULL}, {"GST_PTP_HELPER_1_0", NULL}, {"GST_INSTALL_PLUGINS_HELPER", NULL}, + {"KRB5CCNAME", NULL}, }; static const ExportData no_ld_so_cache_exports[] = { diff --git a/doc/flatpak-run.xml b/doc/flatpak-run.xml index e1aa5e1c..77cd3ad0 100644 --- a/doc/flatpak-run.xml +++ b/doc/flatpak-run.xml @@ -97,6 +97,7 @@ PERLLIB PERL5LIB XCURSOR_PATH + KRB5CCNAME Also several environment variables with the prefix "GST_" that are used by gstreamer -- 2.37.3