flatpak/CVE-2019-8308.patch

From f2af3137e3e5bdd54cad646046da82218aec3fa7 Mon Sep 17 00:00:00 2001
From: Alexander Larsson <alexl@redhat.com>
Date: Sun, 10 Feb 2019 18:23:44 +0100
Subject: [PATCH] Don't expose /proc when running apply_extra

As shown by CVE-2019-5736, it is sometimes possible for the sandbox
app to access outside files using /proc/self/exe. This is not
typically an issue for flatpak as the sandbox runs as the user which
has no permissions to e.g. modify the host files.

However, when installing apps using extra-data into the system repo
we *do* actually run a sandbox as root. So, in this case we disable mounting
/proc in the sandbox, which will neuter attacks like this.

---
 common/flatpak-common-types-private.h | 1 +
 common/flatpak-dir.c                  | 2 +-
 common/flatpak-run.c                  | 6 +++++-
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/common/flatpak-common-types-private.h b/common/flatpak-common-types-private.h
index e361777..b8f76b9 100644
--- a/common/flatpak-common-types-private.h
+++ b/common/flatpak-common-types-private.h
@@ -45,6 +45,7 @@ typedef enum {
   FLATPAK_RUN_FLAG_NO_DOCUMENTS_PORTAL = (1 << 15),
   FLATPAK_RUN_FLAG_BLUETOOTH          = (1 << 16),
   FLATPAK_RUN_FLAG_CANBUS            = (1 << 17),
+  FLATPAK_RUN_FLAG_NO_PROC            = (1 << 19),
 } FlatpakRunFlags;
 
 typedef struct FlatpakDir          FlatpakDir;
diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
index 236de4b..56bca24 100644
--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
@@ -6511,7 +6511,7 @@ apply_extra_data (FlatpakDir   *self,
                           NULL);
 
   if (!flatpak_run_setup_base_argv (bwrap, runtime_files, NULL, runtime_ref_parts[2],
-                                    FLATPAK_RUN_FLAG_NO_SESSION_HELPER,
+                                    FLATPAK_RUN_FLAG_NO_SESSION_HELPER | FLATPAK_RUN_FLAG_NO_PROC,
                                     error))
     return FALSE;
 
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
index cd6672e..c5fe6dc 100644
--- a/common/flatpak-run.c
+++ b/common/flatpak-run.c
@@ -2357,9 +2357,13 @@ flatpak_run_setup_base_argv (FlatpakBwrap   *bwrap,
     "# Disable user pkcs11 config, because the host modules don't work in the runtime\n"
     "user-config: none\n";
 
+  if ((flags & FLATPAK_RUN_FLAG_NO_PROC) == 0)
+    flatpak_bwrap_add_args (bwrap,
+                            "--proc", "/proc",
+                            NULL);
+
   flatpak_bwrap_add_args (bwrap,
                           "--unshare-pid",
-                          "--proc", "/proc",
                           "--dir", "/tmp",
                           "--dir", "/var/tmp",
                           "--dir", "/run/host",
-- 
2.30.0
Fix CVE-2019-8308 (cherry picked from commit 05447785b015c1ceeb19fb077302d15009fa5837) 2021-04-12 11:15:23 +08:00			`From f2af3137e3e5bdd54cad646046da82218aec3fa7 Mon Sep 17 00:00:00 2001`
			`From: Alexander Larsson <alexl@redhat.com>`
			`Date: Sun, 10 Feb 2019 18:23:44 +0100`
			`Subject: [PATCH] Don't expose /proc when running apply_extra`

			`As shown by CVE-2019-5736, it is sometimes possible for the sandbox`
			`app to access outside files using /proc/self/exe. This is not`
			`typically an issue for flatpak as the sandbox runs as the user which`
			`has no permissions to e.g. modify the host files.`

			`However, when installing apps using extra-data into the system repo`
			`we do actually run a sandbox as root. So, in this case we disable mounting`
			`/proc in the sandbox, which will neuter attacks like this.`

			`---`
			`common/flatpak-common-types-private.h \| 1 +`
			`common/flatpak-dir.c \| 2 +-`
			`common/flatpak-run.c \| 6 +++++-`
			`3 files changed, 7 insertions(+), 2 deletions(-)`

			`diff --git a/common/flatpak-common-types-private.h b/common/flatpak-common-types-private.h`
			`index e361777..b8f76b9 100644`
			`--- a/common/flatpak-common-types-private.h`
			`+++ b/common/flatpak-common-types-private.h`
			`@@ -45,6 +45,7 @@ typedef enum {`
			`FLATPAK_RUN_FLAG_NO_DOCUMENTS_PORTAL = (1 << 15),`
			`FLATPAK_RUN_FLAG_BLUETOOTH = (1 << 16),`
			`FLATPAK_RUN_FLAG_CANBUS = (1 << 17),`
			`+ FLATPAK_RUN_FLAG_NO_PROC = (1 << 19),`
			`} FlatpakRunFlags;`

			`typedef struct FlatpakDir FlatpakDir;`
			`diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c`
			`index 236de4b..56bca24 100644`
			`--- a/common/flatpak-dir.c`
			`+++ b/common/flatpak-dir.c`
			`@@ -6511,7 +6511,7 @@ apply_extra_data (FlatpakDir *self,`
			`NULL);`

			`if (!flatpak_run_setup_base_argv (bwrap, runtime_files, NULL, runtime_ref_parts[2],`
			`- FLATPAK_RUN_FLAG_NO_SESSION_HELPER,`
			`+ FLATPAK_RUN_FLAG_NO_SESSION_HELPER \| FLATPAK_RUN_FLAG_NO_PROC,`
			`error))`
			`return FALSE;`

			`diff --git a/common/flatpak-run.c b/common/flatpak-run.c`
			`index cd6672e..c5fe6dc 100644`
			`--- a/common/flatpak-run.c`
			`+++ b/common/flatpak-run.c`
			`@@ -2357,9 +2357,13 @@ flatpak_run_setup_base_argv (FlatpakBwrap *bwrap,`
			`"# Disable user pkcs11 config, because the host modules don't work in the runtime\n"`
			`"user-config: none\n";`

			`+ if ((flags & FLATPAK_RUN_FLAG_NO_PROC) == 0)`
			`+ flatpak_bwrap_add_args (bwrap,`
			`+ "--proc", "/proc",`
			`+ NULL);`
			`+`
			`flatpak_bwrap_add_args (bwrap,`
			`"--unshare-pid",`
			`- "--proc", "/proc",`
			`"--dir", "/tmp",`
			`"--dir", "/var/tmp",`
			`"--dir", "/run/host",`
			`--`
			`2.30.0`